Lucene search
This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.NOVELL_NICM_PRIV_ESCALATION.NASLHistoryJan 10, 2008 - 12:00 a.m.
Novell Client nicm.sys Local Privilege Escalation
2008-01-1000:00:00
This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
www.tenable.com
31
The file โNICM.SYSโ included with the Novell Client software and installed on the remote host reportedly allows local users to open the device โ\.\nicmโ and execute arbitrary code in kernel mode using specially-constructed input.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(29898);
script_version("1.18");
script_cvs_date("Date: 2018/11/15 20:50:27");
script_cve_id("CVE-2007-5762");
script_bugtraq_id(27209);
script_xref(name:"EDB-ID", value:"18914");
script_name(english:"Novell Client nicm.sys Local Privilege Escalation");
script_summary(english:"Checks file version of nicm.sys");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains a driver that is affected by a local
privilege escalation vulnerability.");
script_set_attribute(attribute:"description", value:
"The file 'NICM.SYS' included with the Novell Client software and
installed on the remote host reportedly allows local users to open the
device '\\.\nicm' and execute arbitrary code in kernel mode using
specially-constructed input.");
# http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=637
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?338eb9b5");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2008/Jan/108" );
script_set_attribute(attribute:"see_also", value:"http://download.novell.com/Download?buildid=4FmI89wOmg4~" );
script_set_attribute(attribute:"solution", value:
"Install the 491psp3_4_nicm.zip patch referenced in the vendor advisory
above.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(20);
script_set_attribute(attribute:"patch_publication_date", value:"2008/01/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2008/01/10");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("audit.inc");
include("misc_func.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
if (!get_kb_item("SMB/Registry/Enumerated")) exit(1, "KB 'SMB/Registry/Enumerated' not set to TRUE.");
# Unless we're being paranoid, check whether the software's installed.
if (report_paranoia < 2)
{
subkey = "Novell Client for Windows";
key = string("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/", subkey, "/DisplayName");
get_kb_item_or_exit(key);
}
# Connect to the appropriate share.
port = kb_smb_transport();
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
# Check the version of nicm.sys.
winroot = hotfix_get_systemroot();
if (!winroot) exit(1);
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:winroot);
sys = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\System32\drivers\nicm.sys", string:winroot);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
audit(AUDIT_SHARE_FAIL,share);
}
fh = CreateFile(
file:sys,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
info = "";
if (!isnull(fh))
{
ver = GetFileVersion(handle:fh);
CloseFile(handle:fh);
# nb: for older versions, the file version may be null.
if (isnull(ver)) info = " " + winroot + "\System32\drivers\nicm.sys (unknown file version" + ')\n';
else
{
fix = split("3.0.0.5", sep:'.', keep:FALSE);
for (i=0; i<max_index(fix); i++)
fix[i] = int(fix[i]);
for (i=0; i<max_index(ver); i++)
if ((ver[i] < fix[i]))
{
version = string(ver[0], ".", ver[1], ".", ver[2], ".", ver[3]);
info += " " + winroot + "\System32\drivers\nicm.sys (file version=" + version + ')\n';
break;
}
else if (ver[i] > fix[i])
break;
}
}
NetUseDel();
# Issue a report if a vulnerable file was found.
if (info)
{
if (report_verbosity)
{
report = string(
"The following file is affected :\n",
"\n",
info
);
security_hole(port:port, extra:report);
}
else security_hole(port);
}
Related
exploitpack
exploitpack
Novell Client 4.91 SP4 - Local Privilege Escalation
2012-05-22 00:00:00
cve
cve
CVE-2007-5762
2008-01-09 22:46:00
seebug
seebug
Novell Client 4.91 SP4 - Privilege Escalation Exploit
2014-07-01 00:00:00
Novell Client for Windowsๅฃไปค้็ฝฎๆฌๅฐๆ ๆบขๅบๆผๆด
2008-05-12 00:00:00
Novell Client for Windows nicm.sys้ฉฑๅจๆฌๅฐๆ้ๆๅๆผๆด
2008-01-11 00:00:00
cvelist
cvelist
CVE-2007-5762
2008-01-09 22:00:00
packetstorm
packetstorm
Novell Client 4.91 SP3/4 Privilege Escalation
2012-05-23 00:00:00
prion
prion
Code injection
2008-01-09 22:46:00
securityvulns
securityvulns
exploitdb
exploitdb
Novell Client 4.91 SP4 - Local Privilege Escalation
2012-05-22 00:00:00
Related for NOVELL_NICM_PRIV_ESCALATION.NASL