CVE-2013-3956
published 2013-07-31CVE-2013-3956: The NICM.SYS kernel driver 3.1.11.0 in Novell Client 4.91 SP5 on Windows XP and Windows Server 2003; Novell Client 2 SP2 on Windows Vista and Windows Server…
PriorityP273high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.80%
93.9th percentile
The NICM.SYS kernel driver 3.1.11.0 in Novell Client 4.91 SP5 on Windows XP and Windows Server 2003; Novell Client 2 SP2 on Windows Vista and Windows Server 2008; and Novell Client 2 SP3 on Windows Server 2008 R2, Windows 7, Windows 8, and Windows Server 2012 allows local users to gain privileges via a crafted 0x143B6B IOCTL call.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| novell | client | — | — |
| novell | client | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for DeviceIoControl calls targeting the '\. icm' device handle with IOCTL code 0x143B6B from non-privileged user-mode processes; this is the specific vulnerable IOCTL used to trigger the kernel privilege escalation. ↗
- →Alert on NtAllocateVirtualMemory calls allocating executable memory (PAGE_EXECUTE, 0x40) at low fixed addresses such as 0x0d0d0000 or 0x0c0c0000, which are used by exploit code to stage shellcode before triggering the IOCTL. ↗
- →Look for the presence of nicm.sys version 3.1.11.0 on endpoints; this specific driver version is confirmed vulnerable and its presence indicates an exploitable attack surface. ↗
- →The Metasploit module targets Windows 7 SP1 with Novell Client 2 SP3; hunt for meterpreter sessions on hosts with this software combination as post-exploitation activity is expected after successful IOCTL trigger. ↗
- ·The Python exploit does NOT bypass SMEP on Windows 8; exploitation on Windows 8 targets will fail without an additional SMEP bypass technique. ↗
- ·The Metasploit module requires an existing Meterpreter session (local privilege escalation only); it is not a remote exploit and requires prior code execution on the target. ↗
- ·The exploit is architecture-specific (x86 only); the Metasploit module declares ARCH_X86 and the Python PoC was tested only on x86 builds of Windows 7 and 8. ↗
- ·Kernel struct offsets for the token-stealing shellcode differ between Windows 7 and Windows 8; incorrect offsets will cause a kernel crash rather than privilege escalation. ↗
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5844-j43c-g95g: The NICM
ghsa_unreviewed·2022-05-17
CVE-2013-3956 [HIGH] GHSA-5844-j43c-g95g: The NICM
The NICM.SYS kernel driver 3.1.11.0 in Novell Client 4.91 SP5 on Windows XP and Windows Server 2003; Novell Client 2 SP2 on Windows Vista and Windows Server 2008; and Novell Client 2 SP3 on Windows Server 2008 R2, Windows 7, Windows 8, and Windows Server 2012 allows local users to gain privileges via a crafted 0x143B6B IOCTL call.
VulnCheck
Novell Client for Windows NICM.SYS Local Privilege Escalation Vulnerability
vulncheck·2013·CVSS 7.2
CVE-2013-3956 [HIGH] Novell Client for Windows NICM.SYS Local Privilege Escalation Vulnerability
Novell Client for Windows NICM.SYS Local Privilege Escalation Vulnerability
The NICM.SYS kernel driver 3.1.11.0 in Novell Client 4.91 SP5 on Windows XP and Windows Server 2003; Novell Client 2 SP2 on Windows Vista and Windows Server 2008; and Novell Client 2 SP3 on Windows Server 2008 R2, Windows 7, Windows 8, and Windows Server 2012 allows local users to gain privileges via a crafted 0x143B6B IOCTL call.
Affected: novell client
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
No detection rules found.
Exploit-DB
Novell Client 2 SP3 - 'nicm.sys 3.1.11.0' Local Privilege Escalation
exploitdb·2013-07-29
CVE-2013-3956 Novell Client 2 SP3 - 'nicm.sys 3.1.11.0' Local Privilege Escalation
Novell Client 2 SP3 - 'nicm.sys 3.1.11.0' Local Privilege Escalation
---
# Novell Client 2 SP3 Privilege escalation exploit
# Tested on Windows 7 and 8 (x86) / nicm.sys 3.1.11.0
# Thanks to Master Ryujin :)
# The first public information I have seen about this bug was from Nikita Tarakanov @NTarakanov (I am not sure weather there was anything else public)
# Exploit for DEMO purposes :)
# Does not bypass SMEP on Windows 8
# Metasploit module working against Windows 7: http://www.exploit-db.com/exploits/26452/
from ctypes import *
import sys,struct,os
from optparse import OptionParser
kernel32 = windll.kernel32
ntdll = windll.ntdll
if __name__ == '__main__':
usage = "%prog -o "
parser = OptionParser(usage=usage)
parser.add_option("-o", type="string",
action="store", dest="target_os",
Exploit-DB
Novell Client 2 SP3 - 'nicm.sys' Local Privilege Escalation (Metasploit)
exploitdb·2013-06-26
CVE-2013-3956 Novell Client 2 SP3 - 'nicm.sys' Local Privilege Escalation (Metasploit)
Novell Client 2 SP3 - 'nicm.sys' Local Privilege Escalation (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/windows/priv'
class Metasploit3 'Novell Client 2 SP3 nicm.sys Local Privilege Escalation',
'Description' => %q{
This module exploits a flaw in the nicm.sys driver to execute arbitrary code in
kernel space. The vulnerability occurs while handling ioctl requests with code
0x143B6B, where a user provided pointer is used as function pointer. The module
has been tested successfully on Windows 7 SP1
Metasploit
Novell Client 2 SP3 nicm.sys Local Privilege Escalation
metasploit
Novell Client 2 SP3 nicm.sys Local Privilege Escalation
Novell Client 2 SP3 nicm.sys Local Privilege Escalation
This module exploits a flaw in the nicm.sys driver to execute arbitrary code in kernel space. The vulnerability occurs while handling ioctl requests with code 0x143B6B, where a user provided pointer is used as function pointer. The module has been tested successfully on Windows 7 SP1 with Novell Client 2 SP3.
No writeups or analysis indexed.
http://pastebin.com/GB4iiEwRhttp://www.exploit-db.com/exploits/26452http://www.exploit-db.com/exploits/27191http://www.novell.com/support/kb/doc.php?id=7012497http://pastebin.com/GB4iiEwRhttp://www.exploit-db.com/exploits/26452http://www.exploit-db.com/exploits/27191http://www.novell.com/support/kb/doc.php?id=7012497
2013-07-31
Published
Exploited in the wild