Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Novell NetWare Client Local Privilege Escalation Vulnerability

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Novell NetWare Client Local Privilege Escalation Vulnerability
Date: 14 Nov 2007 19:35:34 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Novell NetWare Client Local Privilege Escalation Vulnerability
------------------------------------------------------------------------


SUMMARY

The Novell Client software provides "a workstation with access to Novell 
NetWare networks as well as Novell Open Enterprise Server (OES) services. 
Novell Clients can access the full range of Novell services such as 
authentication via Novell eDirectory, network browsing and service 
resolution, and secure and reliable file system access". Local 
exploitation of an input validation error vulnerability within Novell 
NetWare Client could allow an unprivileged attacker to execute arbitrary 
code within the kernel.

DETAILS

Vulnerable Systems:
 * nwfilter.sys file version 4.91.1.1, as included with Novell's NetWare 
Client 4.91 SP4

Immune Systems:
 *

When the Novell NetWare Client is installed on a Windows based operating 
system, the driver nwfilter.sys will be loaded at system startup. This 
driver allows any user to open the device "\.\nwfilter" and issue IOCTLs 
with a buffering mode of METHOD_NEITHER.

The problem specifically exists because the driver allows untrusted user 
mode code to pass kernel addresses as arguments to the driver. With 
specially constructed input, a malicious user can use functionality within 
the driver to patch kernel addresses and execute arbitrary code within 
kernel mode.

Analysis:
Exploitation of this vulnerability allows an unprivileged local user to 
patch and execute arbitrary code within the kernel. In order to exploit 
the vulnerability, an attacker needs to be able to log in to the target 
machine and execute a specially crafted executable.

Vendor response:
Novell has addressed this vulnerability by releasing patches that remove 
the "nwfilter.sys" driver. For more information, consult Novell's advisory 
at the following URL:  
<https://secure-support.novell.com/KanisaPlatform/Publishing/98/3260263_f.SAL_Public.html>
 
https://secure-support.novell.com/KanisaPlatform/Publishing/98/3260263_f.SAL_Public.html

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5667> 
CVE-2007-5667

Disclosure Timeline:
09/25/2007 - Initial vendor notification
09/25/2007 - Initial vendor response
11/12/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:idlabs-advisories@idefense.com> iDefense Labs Security Advisories.
The original article can be found at:  
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=626> 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=626



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Novell NetWare Client Local Privilege Escalation Vulnerability, SecuriTeam <=
Previous by Date:  [REVS] Cryptanalysis of the Random Number Generator of the Windows Operating System, SecuriTeam
Next by Date:  [NT] WinPcap NPF.SYS bpf_filter_init Arbitrary Array Indexing Vulnerability, SecuriTeam
Previous by Thread:  [REVS] Cryptanalysis of the Random Number Generator of the Windows Operating System, SecuriTeam
Next by Thread:  [NT] WinPcap NPF.SYS bpf_filter_init Arbitrary Array Indexing Vulnerability, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]