CVE-2007-5762

Novell NetWare Client 4.91 SP4 - Local Privilege Escalation via NICM.SYS IOCTL

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-5762. PoCs published by sickness.

AI-analyzed exploit summary This exploit targets a privilege escalation vulnerability in Novell Client 4.91 SP3/4 by manipulating the HalDispatchTable to overwrite kernel memory and steal SYSTEM tokens. It uses a vulnerable IOCTL (0x00143B6B) to trigger the exploit and spawns a SYSTEM-level command shell.

Description

NICM.SYS driver 3.0.0.4, as used in Novell NetWare Client 4.91 SP4, allows local users to execute arbitrary code by opening the \\.\nicm device and providing crafted kernel addresses via IOCTLs with the METHOD_NEITHER buffering mode.

Exploits (1)

exploitdb WORKING POC VERIFIED

by sickness · pythonlocalwindows

https://www.exploit-db.com/exploits/18914

View Code ZIP pw:eip

This exploit targets a privilege escalation vulnerability in Novell Client 4.91 SP3/4 by manipulating the HalDispatchTable to overwrite kernel memory and steal SYSTEM tokens. It uses a vulnerable IOCTL (0x00143B6B) to trigger the exploit and spawns a SYSTEM-level command shell.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Novell Client 4.91 SP3/4

No auth needed

Prerequisites: Novell Client 4.91 SP3/4 installed on Windows XP or Windows Server 2003 (excluding XP SP1) · Local access to the target system

MITRE ATT&CK