Details of VAR-200607-0237

ID

VAR-200607-0237

CVE

CVE-2006-3697

TITLE

Lavasoft Personal Firewall Used in products such as Agnitum Outpost Firewall Vulnerability gained in

Trust: 0.8

sources: JVNDB: JVNDB-2006-002819

DESCRIPTION

Agnitum Outpost Firewall Pro 3.51.759.6511 (462), as used in (1) Lavasoft Personal Firewall 1.0.543.5722 (433) and (2) Novell BorderManager Novell Client Firewall 2.0, does not properly restrict user activities in application windows that run in a LocalSystem context, which allows local users to gain privileges and execute commands (a) via the "open folder" option when no instance of explorer.exe is running, possibly related to the ShellExecute API function; or (b) by overwriting a batch file through the "Save Configuration As" option. NOTE: this might be a vulnerability in Microsoft Windows and explorer.exe instead of the firewall. Lavasoft Personal Firewall will allow local attackers to gain elevated privileges, which may lead to a complete compromise. Version 1.0.543.5722 (433) is reported vulnerable. Other versions may be affected as well. Reports indicate that this issue may be related to BID 19024. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. The vulnerability is caused due to the application windows running with SYSTEM privileges and the application not checking if explorer.exe is running. This can be exploited to launch explorer.exe with SYSTEM privileges by terminating it and then using the "open folder" option in e.g. the "Shared Components" window. SOLUTION: Enable password protection. PROVIDED AND/OR DISCOVERED BY: Ben Goulding ORIGINAL ADVISORY: http://www.ben.goulding.com.au/secad.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.43

sources: NVD: CVE-2006-3697 // JVNDB: JVNDB-2006-002819 // BID: 19024 // BID: 19018 // VULHUB: VHN-19805 // PACKETSTORM: 48308 // PACKETSTORM: 48302

AFFECTED PRODUCTS

vendor:	novell	model:	client firewall	scope:	eq	version:	2.0	Trust: 2.7
vendor:	agnitum	model:	outpost firewall	scope:	eq	version:	3.51.759.6511	Trust: 1.0
vendor:	lavasoft	model:	personal firewall	scope:	eq	version:	1.0.543.5722.433	Trust: 1.0
vendor:	agnitum	model:	outpost firewall	scope:	eq	version:	pro 3.51.759.6511 (462)	Trust: 0.8
vendor:	lavasoft	model:	personal firewall	scope:	eq	version:	1.0.543.5722 (433)	Trust: 0.8
vendor:	novell	model:	bordermanager	scope:	eq	version:	3.8	Trust: 0.3
vendor:	novell	model:	bordermanager	scope:	eq	version:	3.7	Trust: 0.3
vendor:	agnitum	model:	outpost firewall	scope:	eq	version:	3.51.759.6511(462)	Trust: 0.3
vendor:	lavasoft	model:	personal firewall	scope:	eq	version:	1.0.543.5722(433)	Trust: 0.3

sources: BID: 19024 // BID: 19018 // JVNDB: JVNDB-2006-002819 // CNNVD: CNNVD-200607-289 // NVD: CVE-2006-3697

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2006-3697
value:	HIGH
Trust: 1.0
NVD:	CVE-2006-3697
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-200607-289
value:	HIGH
Trust: 0.6
VULHUB:	VHN-19805
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2006-3697
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-19805
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-19805 // JVNDB: JVNDB-2006-002819 // CNNVD: CNNVD-200607-289 // NVD: CVE-2006-3697

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-19805 // JVNDB: JVNDB-2006-002819 // NVD: CVE-2006-3697

THREAT TYPE

local

Trust: 1.4

sources: BID: 19024 // BID: 19018 // PACKETSTORM: 48308 // PACKETSTORM: 48302 // CNNVD: CNNVD-200607-289

TYPE

Design Error

Trust: 0.6

sources: BID: 19024 // BID: 19018

CONFIGURATIONS

sources: JVNDB: JVNDB-2006-002819

PATCH

title:	Top Page	url:	http://www.agnitum.com/products/outpost/	Trust: 0.8
title:	Top Page	url:	http://www.lavasoft.com/products/lavasoft_personal_firewall.php	Trust: 0.8
title:	Top Page	url:	http://www.novell.com/support/	Trust: 0.8

sources: JVNDB: JVNDB-2006-002819

EXTERNAL IDS

db:	NVD	id:	CVE-2006-3697	Trust: 3.1
db:	BID	id:	19024	Trust: 2.0
db:	BID	id:	19018	Trust: 2.0
db:	SECUNIA	id:	21089	Trust: 1.8
db:	SECUNIA	id:	21088	Trust: 1.8
db:	VUPEN	id:	ADV-2007-0144	Trust: 1.7
db:	VUPEN	id:	ADV-2006-2852	Trust: 1.7
db:	VUPEN	id:	ADV-2006-2851	Trust: 1.7
db:	OSVDB	id:	27349	Trust: 1.7
db:	JVNDB	id:	JVNDB-2006-002819	Trust: 0.8
db:	CNNVD	id:	CNNVD-200607-289	Trust: 0.7
db:	BUGTRAQ	id:	20060716 ESCALATION OF PRIVILEGES IN OUTPOST AND LAVASOFT FIREWALLS -UNUSUAL SHELLEXECUTE BEHAVIOR	Trust: 0.6
db:	VULHUB	id:	VHN-19805	Trust: 0.1
db:	PACKETSTORM	id:	48308	Trust: 0.1
db:	PACKETSTORM	id:	48302	Trust: 0.1

sources: VULHUB: VHN-19805 // BID: 19024 // BID: 19018 // JVNDB: JVNDB-2006-002819 // PACKETSTORM: 48308 // PACKETSTORM: 48302 // CNNVD: CNNVD-200607-289 // NVD: CVE-2006-3697

REFERENCES

url:	http://www.ben.goulding.com.au/secad.html	Trust: 2.5
url:	https://secure-support.novell.com/kanisaplatform/publishing/903/3762108_f.sal_public.html	Trust: 2.0
url:	http://www.securityfocus.com/bid/19018	Trust: 1.7
url:	http://www.securityfocus.com/bid/19024	Trust: 1.7
url:	http://www.osvdb.org/27349	Trust: 1.7
url:	http://secunia.com/advisories/21088	Trust: 1.7
url:	http://secunia.com/advisories/21089	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/440426/100/0/threaded	Trust: 1.1
url:	http://www.vupen.com/english/advisories/2006/2851	Trust: 1.1
url:	http://www.vupen.com/english/advisories/2006/2852	Trust: 1.1
url:	http://www.vupen.com/english/advisories/2007/0144	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-3697	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2006-3697	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/440426/100/0/threaded	Trust: 0.6
url:	http://www.frsirt.com/english/advisories/2007/0144	Trust: 0.6
url:	http://www.frsirt.com/english/advisories/2006/2852	Trust: 0.6
url:	http://www.frsirt.com/english/advisories/2006/2851	Trust: 0.6
url:	http://www.agnitum.com/products/outpost/	Trust: 0.3
url:	http://seclists.org/lists/fulldisclosure/2006/jul/0481.html	Trust: 0.3
url:	http://www.lavasoftusa.com/software/firewall/	Trust: 0.3
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.2
url:	http://secunia.com/hardcore_disassembler_and_reverse_engineer/	Trust: 0.2
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.2
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.2
url:	http://secunia.com/product/7908/	Trust: 0.1
url:	http://secunia.com/advisories/21089/	Trust: 0.1
url:	http://secunia.com/advisories/21088/	Trust: 0.1
url:	http://secunia.com/product/11075/	Trust: 0.1

CREDITS

mullware@gmail.com discovered this issue.

Trust: 0.9

sources: BID: 19018 // CNNVD: CNNVD-200607-289

SOURCES

db:	VULHUB	id:	VHN-19805
db:	BID	id:	19024
db:	BID	id:	19018
db:	JVNDB	id:	JVNDB-2006-002819
db:	PACKETSTORM	id:	48308
db:	PACKETSTORM	id:	48302
db:	CNNVD	id:	CNNVD-200607-289
db:	NVD	id:	CVE-2006-3697

LAST UPDATE DATE

2025-04-03T22:41:45.404000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-19805	date:	2018-10-18T00:00:00
db:	BID	id:	19024	date:	2007-01-11T17:50:00
db:	BID	id:	19018	date:	2007-01-11T18:10:00
db:	JVNDB	id:	JVNDB-2006-002819	date:	2012-12-20T00:00:00
db:	CNNVD	id:	CNNVD-200607-289	date:	2007-01-24T00:00:00
db:	NVD	id:	CVE-2006-3697	date:	2025-04-03T01:03:51.193

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-19805	date:	2006-07-21T00:00:00
db:	BID	id:	19024	date:	2006-07-17T00:00:00
db:	BID	id:	19018	date:	2006-07-17T00:00:00
db:	JVNDB	id:	JVNDB-2006-002819	date:	2012-12-20T00:00:00
db:	PACKETSTORM	id:	48308	date:	2006-07-18T20:56:43
db:	PACKETSTORM	id:	48302	date:	2006-07-18T20:56:43
db:	CNNVD	id:	CNNVD-200607-289	date:	2006-07-21T00:00:00
db:	NVD	id:	CVE-2006-3697	date:	2006-07-21T14:03:00