Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

Novell Client for Windows 7,8 #0day

By: a guest on May 22nd, 2013  |  syntax: None  |  size: 2.53 KB  |  views: 2,286  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. 1.Description:
  2.  
  3. The nicm.sys kernel driver distributed with Novell Client for Windows 7,8 contains
  4. a hijack of execution vulnerability in the handling of IOCTL 0x143B6B.
  5. Exploitation of this issue allows an attacker to execute arbitrary code
  6. within the kernel.
  7. An attacker would need local access to a vulnerable computer to exploit
  8. this vulnerability.
  9.  
  10. Affected application: Novell Client 2 SP3 for Windows 7,8 (up-to date).
  11. Affected file: nicm.sys version 3.1.11.0.
  12.  
  13. 2.Vulnerability details:
  14.  
  15. function at 0x0001205C is responsible for dispatching ioctl codes:
  16.  
  17. .text:0001205C ioctl_handler   proc near               ; DATA XREF: sub_17006+8Bo
  18. .text:0001205C
  19. .text:0001205C var_40          = dword ptr -40h
  20. .text:0001205C var_3C          = dword ptr -3Ch
  21. .text:0001205C var_38          = dword ptr -38h
  22. .text:0001205C var_34          = dword ptr -34h
  23. .text:0001205C var_30          = dword ptr -30h
  24. .text:0001205C var_2C          = dword ptr -2Ch
  25. .text:0001205C var_28          = dword ptr -28h
  26. .text:0001205C MemoryDescriptorList= dword ptr -24h
  27. .text:0001205C BaseAddress     = dword ptr -20h
  28. .text:0001205C var_19          = byte ptr -19h
  29. .text:0001205C ms_exc          = CPPEH_RECORD ptr -18h
  30. .text:0001205C arg_4           = dword ptr  0Ch
  31. .text:0001205C
  32. .text:0001205C ; FUNCTION CHUNK AT .text:000121EB SIZE 000001C2 BYTES
  33. .text:0001205C
  34. .text:0001205C                 push    30h
  35. .text:0001205E                 push    offset stru_142E8
  36. .text:00012063                 call    __SEH_prolog4
  37. .text:00012068                 xor     ebx, ebx
  38. .text:0001206A                 call    ds:KeEnterCriticalRegion
  39. .text:00012070                 mov     edi, [ebp+arg_4]
  40. .text:00012073                 push    edi
  41. .text:00012074                 call    sub_11F38
  42. .text:00012079                 mov     [ebp+var_19], al
  43. .text:0001207C                 mov     esi, [edi+60h]
  44. .text:0001207F                 mov     [ebp+var_28], esi
  45. .text:00012082                 mov     eax, [esi+0Ch]
  46. .text:00012085                 sub     eax, 143B63h
  47. .text:0001208A                 jz      loc_122B0
  48.  
  49. [..]
  50.  
  51. .text:000121A3                 mov     ecx, eax        ; ecx is input buffer
  52. .text:000121A5                 mov     eax, [ecx]      ; get first DWORD from input buffer
  53. .text:000121A7                 mov     edx, [eax]      ; dereference of value in first DWORD of input buffer
  54. .text:000121A9                 push    ecx
  55. .text:000121AA                 push    eax
  56. .text:000121AB                 call    dword ptr [edx+0Ch] ; execution hijack!
clone this paste RAW Paste Data