The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer weakness note CVE-2007-5667

Novell Client: privilege elevation via NWFILTER.SYS

Synthesis of the vulnerability

A local attacker can execute code in the kernel via a vulnerability of NWFILTER.SYS.
Severity of this threat: 2/4.
Creation date: 13/11/2007.
Revision date: 14/11/2007.
Références of this weakness: 3260263, BID-26420, CVE-2007-5667, VIGILANCE-VUL-7340.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The %systemroot%\System32\netware\NWFILTER.SYS driver filters queries for network resources (UNC Path Filter) in order to not create redundant connections.

This driver creates the "\.\nwfilter" named pipe. However, all users can open it and send IOCTLs. These IOCTLs do not check if received addresses are user space addresses. An attacker can therefore provide a kernel address in order to force the driver to write to this address, and thus to corrupt memory.

A local attacker can therefore elevate his privileges.
Full Vigil@nce bulletin... (Free trial)

This security bulletin impacts software or systems such as Novell Client.

Our Vigil@nce team determined that the severity of this cybersecurity announce is medium.

The trust level is of type confirmed by the editor, with an origin of user shell.

An attacker with a expert ability can exploit this vulnerability alert.

Solutions for this threat

Novell Client: patch for NWFILTER.SYS.
A patch is available:
  Novell Client 4.91 SP4:
    http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5006982.html
  Novell Client 4.91 SP3:
    http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5006862.html
  Novell Client 4.91, 4.91 SP1, 4.91 SP1a and 4.91 SP2:
    http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5006983.html

Novell Client: version Vista SP1.
Version Vista SP1 is corrected:
  http://download.novell.com/Download?buildid=hJolpJeVDqU~

Novell Client: version XP/2003 4.91 SP5.
Version 4.91 SP5 is corrected:
  http://download.novell.com/Download?buildid=qmMAWSRy5q4~
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides an applications vulnerabilities bulletin. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The technology watch team tracks security threats targeting the computer system. The Vigil@nce vulnerability database contains several thousand vulnerabilities.