- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Novell NetWare Client Local Privilege Escalation Vulnerability
------------------------------------------------------------------------
SUMMARY
The Novell Client software provides "a workstation with access to Novell
NetWare networks as well as Novell Open Enterprise Server (OES) services.
Novell Clients can access the full range of Novell services such as
authentication via Novell eDirectory, network browsing and service
resolution, and secure and reliable file system access". Local
exploitation of an input validation error vulnerability within Novell
NetWare Client could allow an unprivileged attacker to execute arbitrary
code within the kernel.
DETAILS
Vulnerable Systems:
* nwfilter.sys file version 4.91.1.1, as included with Novell's NetWare
Client 4.91 SP4
Immune Systems:
*
When the Novell NetWare Client is installed on a Windows based operating
system, the driver nwfilter.sys will be loaded at system startup. This
driver allows any user to open the device "\.\nwfilter" and issue IOCTLs
with a buffering mode of METHOD_NEITHER.
The problem specifically exists because the driver allows untrusted user
mode code to pass kernel addresses as arguments to the driver. With
specially constructed input, a malicious user can use functionality within
the driver to patch kernel addresses and execute arbitrary code within
kernel mode.
Analysis:
Exploitation of this vulnerability allows an unprivileged local user to
patch and execute arbitrary code within the kernel. In order to exploit
the vulnerability, an attacker needs to be able to log in to the target
machine and execute a specially crafted executable.
Vendor response:
Novell has addressed this vulnerability by releasing patches that remove
the "nwfilter.sys" driver. For more information, consult Novell's advisory
at the following URL:
<https://secure-support.novell.com/KanisaPlatform/Publishing/98/3260263_f.SAL_Public.html> https://secure-support.novell.com/KanisaPlatform/Publishing/98/3260263_f.SAL_Public.html
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5667>
CVE-2007-5667
Disclosure Timeline:
09/25/2007 - Initial vendor notification
09/25/2007 - Initial vendor response
11/12/2007 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=626>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=626
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment