| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Aug 11 02:37:44 2005 From: jeff.peadro at gmail.com (Jeff Peadro) Subject: Privilege escalation in Nortel Contivity VPN Client V05_01.030 Summary: Privilege escalation in Nortel Contivity VPN Client V05_01.030 (http://www.nortel.com) Details: The Contivity VPN Client is a Windows application that lets you define and store connection information for accessing your corporate network through a Contivity Secure IP Services Gateway. When the Contivity client is running as a service it is possible to manipulate the interface of the client and escalate privileges to that of the LocalSystem account. Vulnerable Versions: Nortel Contivity VPN Client V05_01.030 Patches/Workarounds: The vendor was notified of the issue and an updated version has been released. Exploit: 1. With the Contivity client open click on Options and select Authentication Options. 2. Select Digital Certificate Authentication Entrust and click OK. 3. To the right of the certificate box click the button icon and select open. 4. Change Files of type: to All Files, navigate to the system32 directory and locate cmd.exe. Right click cmd.exe and choose Open. It should also be noted that this exploit can be carried out by running the connection wizard and following steps 2-4. The result is a command prompt running under the context of the LocalSystem account. Discovered by Jeff Peadro Jeff.Peadro[at]gmail[dot]com
Powered by blists - more mailing lists