Re: Local Privilege Escalation Vulnerabilities in Lotus Notes Client

To: kochetkov.vladimir@xxxxxxxxx
Subject: Re: Local Privilege Escalation Vulnerabilities in Lotus Notes Client
From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Date: Wed, 22 Aug 2007 20:29:51 +0400
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20070822102528.22823.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://www.security.nnov.ru
References: <20070822102528.22823.qmail@xxxxxxxxxxxxxxxxx>
Reply-to: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>

Dear kochetkov.vladimir@xxxxxxxxx,

 It looks like duplicated for CVE-2005-2454 and should be fixed in Lotus
 Notes client 7.0.2, see

 http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21246773

 Please specify Notes client version.

--Wednesday, August 22, 2007, 2:25:28 PM, you wrote to 
bugtraq@xxxxxxxxxxxxxxxxx:

kvgc> Local Privilege Escalation Through Default ntmulti.exe File Permissions

kvgc> Unprivileged users can execute arbitrary programs that run
kvgc> with the privileges of the LocalSystem account by replacing the
kvgc> Multi-user Cleanup Service executable with arbitrary executables.
kvgc> This vulnerability exists because the default file permissions
kvgc> assigned during installation to ntmulti.exe (the executable for
kvgc> the Multi-user Cleanup Service) allow unprivileged, interactive
kvgc> users to replace ntmulti.exe with any file.

kvgc> Because the Multi-user Cleanup Service is a Windows service
kvgc> running with LocalSystem privileges, unprivileged users can easily
kvgc> elevate their privileges.


-- 
~/ZARAZA http://securityvulns.com/

References:
- Local Privilege Escalation Vulnerabilities in Lotus Notes Client
  - From: kochetkov . vladimir

Prev by Date: Announcement: Releasing CORE GRASP for PHP. An open source, dynamic web application protection system.
Next by Date: HPSBST02255 SSRT071456 rev.1 - Storage Management Appliance (SMA), Microsoft Patch Applicability MS07-042 to MS07-050
Previous by thread: Local Privilege Escalation Vulnerabilities in Lotus Notes Client
Next by thread: Encryption Weakness in Sun Sun AS 9.0_0.1 (build b02-p01)
Index(es):
- Date
- Thread