1.Description:
The nicm.sys kernel driver distributed with Novell Client for Windows 7,8 contains
a hijack of execution vulnerability in the handling of IOCTL 0x143B6B.
Exploitation of this issue allows an attacker to execute arbitrary code
within the kernel.
An attacker would need local access to a vulnerable computer to exploit
this vulnerability.
Affected application: Novell Client 2 SP3 for Windows 7,8 (up-to date).
Affected file: nicm.sys version 3.1.11.0.
2.Vulnerability details:
function at 0x0001205C is responsible for dispatching ioctl codes:
.text:0001205C ioctl_handler proc near ; DATA XREF: sub_17006+8B�o
.text:0001205C
.text:0001205C var_40 = dword ptr -40h
.text:0001205C var_3C = dword ptr -3Ch
.text:0001205C var_38 = dword ptr -38h
.text:0001205C var_34 = dword ptr -34h
.text:0001205C var_30 = dword ptr -30h
.text:0001205C var_2C = dword ptr -2Ch
.text:0001205C var_28 = dword ptr -28h
.text:0001205C MemoryDescriptorList= dword ptr -24h
.text:0001205C BaseAddress = dword ptr -20h
.text:0001205C var_19 = byte ptr -19h
.text:0001205C ms_exc = CPPEH_RECORD ptr -18h
.text:0001205C arg_4 = dword ptr 0Ch
.text:0001205C
.text:0001205C ; FUNCTION CHUNK AT .text:000121EB SIZE 000001C2 BYTES
.text:0001205C
.text:0001205C push 30h
.text:0001205E push offset stru_142E8
.text:00012063 call __SEH_prolog4
.text:00012068 xor ebx, ebx
.text:0001206A call ds:KeEnterCriticalRegion
.text:00012070 mov edi, [ebp+arg_4]
.text:00012073 push edi
.text:00012074 call sub_11F38
.text:00012079 mov [ebp+var_19], al
.text:0001207C mov esi, [edi+60h]
.text:0001207F mov [ebp+var_28], esi
.text:00012082 mov eax, [esi+0Ch]
.text:00012085 sub eax, 143B63h
.text:0001208A jz loc_122B0
[..]
.text:000121A3 mov ecx, eax ; ecx is input buffer
.text:000121A5 mov eax, [ecx] ; get first DWORD from input buffer
.text:000121A7 mov edx, [eax] ; dereference of value in first DWORD of input buffer
.text:000121A9 push ecx
.text:000121AA push eax
.text:000121AB call dword ptr [edx+0Ch] ; execution hijack!