[40494] in bugtraq
Re: [ISR] - Novell GroupWise Client Integer Overflow
daemon@ATHENA.MIT.EDU (Crist J. Clark)
Tue Sep 27 17:50:08 2005
Date: Tue, 27 Sep 2005 12:51:42 -0700
From: "Crist J. Clark" <cristjc@comcast.net>
To: Francisco Amato <famato@infobyte.com.ar>
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Message-ID: <20050927195141.GB42761@goku.cjclark.org>
Reply-To: cjclark@alum.mit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050927135757.22865.qmail@microvac.ferengi.com.ar>
On Tue, Sep 27, 2005 at 10:57:57AM -0300, Francisco Amato wrote:
[snip]
> .:: DESCRIPTION
>
> This issue is due to a failure of the application to securely parse the
> saved port number of the last authentication store in windows register.
>
> To reproduce this, we have to modify the default register key of
> HKEY_CURRENT_USER\Software\Novell\GroupWise\Login Parameters\TCP/IP Port
This is obviously a bug, but why is this a security vulnerability?
Does the GroupWise client run with elevated privileges?
--
Crist J. Clark | cjclark@alum.mit.edu
