SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Networking Stack (NetWare)  >   NetWare Vendors:   Novell
Re: Novel Netware Allows Login Access With No Passwords
SecurityTracker Alert ID:  1001085
SecurityTracker URL:  http://securitytracker.com/id/1001085
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 14 2001
Impact:   User access via network

Version(s): Netware 3.1-5.1
Description:   A vulnerability has been reported in the default configuration of Novell Netware that allows login access with no passwords.

A user reports that an exploit may follow the following steps in using an API called ChangeToClientRights:

"1. Login as printer.
2. Wait for supe/admin person to print something.
3. Execute ChangeToClientRights.
4. Do bad things."

The user also indicates that there is some code at http://www.nmrc.org/files/netware/netware.zip and somewhere on Packetstorm (http://packetstorm.securify.com/) that may perform some of these steps.
Impact:   An attacker can log into a Netware network using a Print Server account and obtain the rights of the container that the Print Server resides in.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.novell.com (Links to External Site)
Cause:   Authentication error
Underlying OS:  

Message History:   This archive entry is a follow-up to the message listed below.
Mar 12 2001 Novel Netware Allows Login Access With No Passwords


 Source Message Contents
Date:  Tue, 13 Mar 2001 16:33:47 -0600
Subject:  Re: Vulnerability in Novell Netware


I think the main issue regarding the Novell print queue thing does involve
logging in via APIs and not using the client software. By specifying your
object type as that of a printer (something the client code does not
support) you can log in as the printer. And yes you can brute force the
password since Intrusion Detection does not apply here.

The main reason for gaining access to the server this way is because the
printer objects have access to an API call called ChangeToClientRights.
The sploit is supposed to go:

1. Login as printer.
2. Wait for supe/admin person to print something.
3. Execute ChangeToClientRights.
4. Do bad things.

Supposedly several people have had the code to do this for a while. It is
one of those 0-day things Netware hackers trade ;-) Anyway, there is some
code at http://www.nmrc.org/files/netware/netware.zip that is supposed to
do a lot of this stuff. I couldn't get it to work on 5.x SP2, and can't
really vouch for it, but everyone is free to try it out. It is also
somewhere on Packetstorm as well.

-         Simple Nomad          -     "No rest for the Wicca'd"     -
-      thegnome@nmrc.org        -                                   -
-  thegnome@razor.bindview.com  - www.nmrc.org   razor.bindview.com -


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC