Novell NetMail IMAPD Command Continuation Request Heap Overflow

Remote exploitation of a heap overflow vulnerability in Novell Inc.'s NetMail IMAP daemon allows unauthenticated attackers to execute arbitrary code with the privileges of the underlying user.

The problem specifically exists in the handling of command continuation requests as the user-specified size value is used directly as the argument to a custom memory allocation wrapper (MMalloc()):

    ; ebx is attacker controlled
    00402CA2 lea ecx, [ebx+1]
    00402CA5 push ecx
    00402CA6 call MMmalloc
The MMalloc() routine performs minimal mathematical operations to the supplied value before allocating memory. An attacker can specify a malicious number that will result in an integer overflow and cause a small memory chunk to be allocated. The original and larger supplied value will be later used in an inline memcpy():
    ; destination is attacker allocated
    00402D6E rep movsd
    00402D70 mov ecx, edx
    00402D72 and ecx, 3
    00402D75 rep movsb
This instruction sequence will copy attacker-supplied data beyond the brims of the allocated heap chunk and arbitrarily overwrite the heap. Too large a payload will cause an access violation as it writes off the end of the heap. If the supplied data is large enough, it will corrupt the heap and eventually result in a classic arbitrary DWORD overwrite in NTDLL during subsequent heap manipulation:
    77FCC2C0 mov [ecx], eax
    77FCC2C2 mov [eax+4], ecx
By overwriting the address of a soon to be called function, the attacker can redirect CPU flow and eventually execute arbitrary code.

Successful exploitation of the described vulnerability allows unauthenticated remote attackers to execute arbitrary code with the privileges of the underlying user, normally NetMailService.

iDEFENSE Advisory