CVE-2007-1057 Information

Description

The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424 VPN 3050 and 3070 and SSL VPN Module 1000 extracts and executes files with insecure permissions which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client as demonstrated by replacing /tmp/NetClient/client.

Reference

http://osvdb.org/33304 http://secunia.com/advisories/24231 http://spoofed.org/blog/archive/2007/02/nortel_vpn_unix_client_local_root_compromise.html http://www.securityfocus.com/bid/22632 http://www.securitytracker.com/id?1017678 http://www.vupen.com/english/advisories/2007/0671 http://www116.nortelnetworks.com/pub/repository/CLARIFY/DOCUMENT/2007/08/021886-01.pdf http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=540071 https://exchange.xforce.ibmcloud.com/vulnerabilities/32597 https://www.exploit-db.com/exploits/3356