CVE-2007-1057 - The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, a

CVE-2007-1057

Summary

The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client.

References

Vulnerable Configurations

cpe:2.3:h:nortel:alteon_2424_application_switch:23.2:*:*:*:*:*:*:*
cpe:2.3:h:nortel:alteon_2424_application_switch:23.2:*:*:*:*:*:*:*
cpe:2.3:h:nortel:ssl_vpn_module_1000:*:*:*:*:*:*:*:*
cpe:2.3:h:nortel:ssl_vpn_module_1000:*:*:*:*:*:*:*:*
cpe:2.3:h:nortel:vpn_gateway_3070:*:*:*:*:*:*:*:*
cpe:2.3:h:nortel:vpn_gateway_3070:*:*:*:*:*:*:*:*
cpe:2.3:a:nortel:net_direct_client:*:*:linux:*:*:*:*:*
cpe:2.3:a:nortel:net_direct_client:*:*:linux:*:*:*:*:*

CVSS

Base:	6.9 (as of 11-10-2017 - 01:31)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
LOCAL	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:L/AC:M/Au:N/C:C/I:C/A:C

refmap via4

bid	22632
confirm	http://www116.nortelnetworks.com/pub/repository/CLARIFY/DOCUMENT/2007/08/021886-01.pdf http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540071
exploit-db	3356
misc	http://spoofed.org/blog/archive/2007/02/nortel_vpn_unix_client_local_root_compromise.html
osvdb	33304
sectrack	1017678
secunia	24231
vupen	ADV-2007-0671
xf	netdirect-permissions-privilege-escalation(32597)

Last major update

11-10-2017 - 01:31

Published

21-02-2007 - 23:28

Last modified

11-10-2017 - 01:31