Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 1.Description:
- The nicm.sys kernel driver distributed with Novell Client for Windows 7,8 contains
- a hijack of execution vulnerability in the handling of IOCTL 0x143B6B.
- Exploitation of this issue allows an attacker to execute arbitrary code
- within the kernel.
- An attacker would need local access to a vulnerable computer to exploit
- this vulnerability.
- Affected application: Novell Client 2 SP3 for Windows 7,8 (up-to date).
- Affected file: nicm.sys version 3.1.11.0.
- 2.Vulnerability details:
- function at 0x0001205C is responsible for dispatching ioctl codes:
- .text:0001205C ioctl_handler proc near ; DATA XREF: sub_17006+8Bo
- .text:0001205C
- .text:0001205C var_40 = dword ptr -40h
- .text:0001205C var_3C = dword ptr -3Ch
- .text:0001205C var_38 = dword ptr -38h
- .text:0001205C var_34 = dword ptr -34h
- .text:0001205C var_30 = dword ptr -30h
- .text:0001205C var_2C = dword ptr -2Ch
- .text:0001205C var_28 = dword ptr -28h
- .text:0001205C MemoryDescriptorList= dword ptr -24h
- .text:0001205C BaseAddress = dword ptr -20h
- .text:0001205C var_19 = byte ptr -19h
- .text:0001205C ms_exc = CPPEH_RECORD ptr -18h
- .text:0001205C arg_4 = dword ptr 0Ch
- .text:0001205C
- .text:0001205C ; FUNCTION CHUNK AT .text:000121EB SIZE 000001C2 BYTES
- .text:0001205C
- .text:0001205C push 30h
- .text:0001205E push offset stru_142E8
- .text:00012063 call __SEH_prolog4
- .text:00012068 xor ebx, ebx
- .text:0001206A call ds:KeEnterCriticalRegion
- .text:00012070 mov edi, [ebp+arg_4]
- .text:00012073 push edi
- .text:00012074 call sub_11F38
- .text:00012079 mov [ebp+var_19], al
- .text:0001207C mov esi, [edi+60h]
- .text:0001207F mov [ebp+var_28], esi
- .text:00012082 mov eax, [esi+0Ch]
- .text:00012085 sub eax, 143B63h
- .text:0001208A jz loc_122B0
- [..]
- .text:000121A3 mov ecx, eax ; ecx is input buffer
- .text:000121A5 mov eax, [ecx] ; get first DWORD from input buffer
- .text:000121A7 mov edx, [eax] ; dereference of value in first DWORD of input buffer
- .text:000121A9 push ecx
- .text:000121AA push eax
- .text:000121AB call dword ptr [edx+0Ch] ; execution hijack!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement