- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Novell ZENworks Endpoint Security Management Local Privilege Escalation
Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.novell.com/products/zenworks/endpointsecuritymanagement/>
Novell ZENworks Endpoint Security Management (ESM) Security Client
provides "centrally managed, policy based firewall protection for clients.
It is designed to be installed on all workstations within the enterprise".
Local exploitation of a privilege escalation vulnerability in Novell
ZENworks Endpoint Security Management allows attackers to execute
arbitrary code with SYSTEM privileges.
DETAILS
Vulnerable Systems:
* Novell Inc's ZENworks Endpoint Security Management version 3.5 which
includes STEngine.exe version 3.5.0.20
Immune Systems:
* Novell Inc's ZENworks Endpoint Security Management version 3.5 which
includes STEngine.exe version 3.5.0.82
When the ZENworks ESM Security Client is installed on a workstation, the
STEngine service is set to run under the local SYSTEM account. This
service is implemented within the following executable.
File Name: STEngine.exe (1,847,296 bytes)
Version: 3.5.0.20
MD5: B5402A1EC8D04130304EBA89AF843916
The service provides functionality for any user to generate a diagnostic
report in order to aid in product troubleshooting. During report
generation, STEngine attempts to execute various scripts by spawning
command shells to gather system information. These scripts are dynamically
generated in a directory which all users may write to.
STEngine will also attempt to locate a command shell in this directory and
execute it if it is found. If a malicious local user places a binary named
"cmd.exe" in this directory, STEngine will execute it with SYSTEM level
privileges.
Analysis:
Exploitation allows unprivileged local users to take complete control of
the affected system.
Exploitation is trivial and does not require any special tools or coding
ability. If an attacker desires an interactive command prompt, a small
wrapper application will be required in order to ensure that the command
window is visible after execution.
Vendor response:
Novell has addressed this vulnerability by releasing version 3.5.0.82 of
Endpoint Security Management. To download this new version, visit the
following URL.
<http://download.novell.com/Download?buildid=5Y6xbs-OKLE~>
http://download.novell.com/Download?buildid=5Y6xbs-OKLE~
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5665>
CVE-2007-5665
Disclosure Timeline:
09/24/2007 - Initial vendor notification
09/25/2007 - Initial vendor response
12/24/2007 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:labs-no-reply@idefense.com>
iDefense Labs.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=635>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=635
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment