exploits , vulnerabilities , articles , BakBone NetVault NVStatsMngr.EXE Local Privilege Escalation Vulnerability

Title	BakBone NetVault NVStatsMngr.EXE Local Privilege Escalation Vulnerability
Published	2005-04-27-12:00AM
Updated	2005-11-25-03:54PM
Class	Design Error
CVE	CAN-2005-1372
Remote	No
Local	Yes
Credit	Reed Arvin <reedarvin@gmail.com> is credited with the discovery of this vulnerability.
Vulnerable	BakBone NetVault 7.3 BakBone NetVault 7.1.1 BakBone NetVault 7.1 BakBone NetVault 7.0
Not Vulnerable	BakBone NetVault 7.3.1 BakBone NetVault 7.1.3 BakBone NetVault 7.1.2
Code	Proceeding through the following steps will result in a command prompt running with SYSTEM level privileges: 1. Utilize the exploit to get the C:Program FilesBakBone SoftwareNetVaultin vstatsmngr.exe window to appear. Access the window menu in the upper left and click Properties. 2. Right click on the word Window under the Display Options and click What's This? 3. Right click on the help text that is shown in yellow and click Print Topic. 4. Right click on any printer and click Open. 5. Click Help, Help Topics. 6. Right click in the right side of the help screen and click View Source. 7. Notepad will appear (running under the context of the LocalSystem account). Click File, click Open. 8. Change Files of type: to All Files, navigate to the system32 directory and locate cmd.exe. Right click cmd.exe and choose Open. The following exploit will unhide the 'nvstatsmngr.exe' service window: /data/vulnerabilities/exploits/nvstatsmngrPrivEsc.c
TXT