The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Novell Client: privilege elevation via NWFILTER.SYS

Synthesis of the vulnerability 

A local attacker can execute code in the kernel via a vulnerability of NWFILTER.SYS.
Vulnerable systems: Novell Client.
Severity of this threat: 2/4.
Creation date: 13/11/2007.
Revision date: 14/11/2007.
Références of this weakness: 3260263, BID-26420, CVE-2007-5667, VIGILANCE-VUL-7340.

Description of the vulnerability 

The %systemroot%\System32\netware\NWFILTER.SYS driver filters queries for network resources (UNC Path Filter) in order to not create redundant connections.

This driver creates the "\.\nwfilter" named pipe. However, all users can open it and send IOCTLs. These IOCTLs do not check if received addresses are user space addresses. An attacker can therefore provide a kernel address in order to force the driver to write to this address, and thus to corrupt memory.

A local attacker can therefore elevate his privileges.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security bulletin impacts software or systems such as Novell Client.

Our Vigil@nce team determined that the severity of this cybersecurity announce is medium.

The trust level is of type confirmed by the editor, with an origin of user shell.

An attacker with a expert ability can exploit this vulnerability alert.

Solutions for this threat 

Novell Client: patch for NWFILTER.SYS.
A patch is available:
  Novell Client 4.91 SP4:
  Novell Client 4.91 SP3:
  Novell Client 4.91, 4.91 SP1, 4.91 SP1a and 4.91 SP2:

Novell Client: version Vista SP1.
Version Vista SP1 is corrected:

Novell Client: version XP/2003 4.91 SP5.
Version 4.91 SP5 is corrected:
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides an applications vulnerabilities bulletin. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.