FW: Updated Version & Exploit - Privilege escalation in Nortel Contivity VPN Client V05_01.030

2005-08-12T00:00:00
ID SECURITYVULNS:DOC:9456
Type securityvulns
Reporter Securityvulns
Modified 2005-08-12T00:00:00

Description

Updated to add additional version & exploit details. Reps to Crime Dog

Vulnerable Versions: Nortel Contivity VPN Client V05_01.100

Patches/Workarounds: Good question

Exploit:

  1. With the Contivity client open click go into "Group Authentication Options"

  2. Select "Challenge Response Token" options.

  3. Click on the "Software Token Directory" browse button.

  4. Change Files of type: to All Files, navigate to the system32 directory and locate cmd.exe. Right click cmd.exe and choose Open.

The result is a command prompt running under the context of the LocalSystem account.

Discovered by Crime Dog thecrimedog[at]sbcglobal[dot]net