|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=626
|
| |
Vulnerable Systems:
* nwfilter.sys file version 4.91.1.1, as included with Novell's NetWare Client 4.91 SP4
Immune Systems:
*
When the Novell NetWare Client is installed on a Windows based operating system, the driver nwfilter.sys will be loaded at system startup. This driver allows any user to open the device "\.\nwfilter" and issue IOCTLs with a buffering mode of METHOD_NEITHER.
The problem specifically exists because the driver allows untrusted user mode code to pass kernel addresses as arguments to the driver. With specially constructed input, a malicious user can use functionality within the driver to patch kernel addresses and execute arbitrary code within kernel mode.
Analysis:
Exploitation of this vulnerability allows an unprivileged local user to patch and execute arbitrary code within the kernel. In order to exploit the vulnerability, an attacker needs to be able to log in to the target machine and execute a specially crafted executable.
Vendor response:
Novell has addressed this vulnerability by releasing patches that remove the "nwfilter.sys" driver. For more information, consult Novell's advisory at the following URL: https://secure-support.novell.com/KanisaPlatform/Publishing/98/3260263_f.SAL_Public.html
CVE Information:
CVE-2007-5667
Disclosure Timeline:
09/25/2007 - Initial vendor notification
09/25/2007 - Initial vendor response
11/12/2007 - Coordinated public disclosure
|
|
|
|
|
