Vigil@nce - Novell Client 2 for Windows 7/8: privilege escalation via nicm.sys
June 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can call a controlled function in nicm.sys of
Novell Client 2 for Windows 7/8, in order to escalate his
privileges.
Impacted products: Novell Client
Severity: 2/4
Creation date: 29/05/2013
DESCRIPTION OF THE VULNERABILITY
The Novell Client 2 for Windows 7/8 product installs the driver
nicm.sys.
However, the IOCTL 0x143B6B (NICM_IOCTL_REQUEST_REPLY) uses user’s
data to generate a function pointer.
A local attacker can therefore call a controlled function in
nicm.sys of Novell Client 2 for Windows 7/8, in order to escalate
his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN