CVE-2007-4648
published 2007-08-31CVE-2007-4648: The nvcoaft51 driver in Norman Virus Control (NVC) 5.82 uses weak permissions (unrestricted write access) for the NvcOa device, which allows local users to…
PriorityP335high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
0.92%
55.9th percentile
The nvcoaft51 driver in Norman Virus Control (NVC) 5.82 uses weak permissions (unrestricted write access) for the NvcOa device, which allows local users to gain privileges by (1) triggering a buffer overflow in a kernel pool via a string argument to ioctl 0xBF67201C; or by (2) sending a crafted KEVENT structure through ioctl 0xBF672028 to overwrite arbitrary memory locations.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| norman | norman_virus_control | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Apple QuickTime 7.2/7.3 (OSX/Windows) - RSTP Response Universal
exploitdb·2007-11-29·CVSS 7.5
CVE-2002-0252 [HIGH] Apple QuickTime 7.2/7.3 (OSX/Windows) - RSTP Response Universal
Apple QuickTime 7.2/7.3 (OSX/Windows) - RSTP Response Universal
---
# Copyright (C) 2007 Subreption LLC. All rights reserved.
# Visit http://blog.subreption.com for exploit development notes.
#
# References:
# http://www.milw0rm.com/exploits/4648 (original Microsoft Windows code)
# http://www.milw0rm.com/exploits/4651 (recent Microsoft Windows exploit)
# From Metasploit: apple_quicktime_rtsp_response.rb (by MC and HD Moore)
# http://nvd.nist.gov/nvd.cfm?cvename=CVE-2002-0252
# BID: https://www.securityfocus.com/bid/26549
#
# Notes:
# Payload badchars: \x00 \x09 \x0a \x0d \x20 \x22 \x25 \x26 \x27 \x2b \x2f
# \x3a \x3c \x3e \x3f \x40
#
# The example addresses and data will trigger an IDS signature easily.
# Remove them if you're not testing, and change padding sizes accordingly.
# Use the
Exploit-DB
Norman Virus Control - 'nvcoaft51.sys' ioctl BF672028
exploitdb·2007-08-30
CVE-2007-4648 Norman Virus Control - 'nvcoaft51.sys' ioctl BF672028
Norman Virus Control - 'nvcoaft51.sys' ioctl BF672028
---
/*
Norman Virus Control nvcoaft51.sys ioctl BF672028 exploit
Abstract
nvcoaft51.sys driver receive as parameter in some ioctl's
a pointer to a KEVENT struct, calling KeSetEvent without
any prior check.
The device created by the driver (NvcOa) can be opened by
any user.
As result, a user can send a IOCTL with a fake KEVENT
struct and finish executing code at ring0
Author
inocraM - inocram[at]48bits[dot]com
48bits I+D team
www.48bits.com
OS
Tested against Windows XP SP2 (spanish) with a PAE kernel.
For educational purposes ONLY
*/
#define _CRT_SECURE_NO_DEPRECATE
#include
#include
#define XPLT_KEVENT_IOCTL 0xbf672028
/* PSAPI */
typedef BOOL (WINAPI * ENUM_DEVICE_DRIVERS)(LPVOID* lpImageBase,DWORD cb,LPDWORD lpcbNeeded);
t
No writeups or analysis indexed.
http://securityreason.com/securityalert/3087http://www.48bits.com/exploits/nvc.rarhttp://www.securityfocus.com/archive/1/478224/100/0/threadedhttp://www.securityfocus.com/bid/25499http://www.securitytracker.com/id?1018636https://exchange.xforce.ibmcloud.com/vulnerabilities/36373http://securityreason.com/securityalert/3087http://www.48bits.com/exploits/nvc.rarhttp://www.securityfocus.com/archive/1/478224/100/0/threadedhttp://www.securityfocus.com/bid/25499http://www.securitytracker.com/id?1018636https://exchange.xforce.ibmcloud.com/vulnerabilities/36373
2007-08-31
Published