SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Networking Stack (NetWare)  >   NetWare Vendors:   Novell
Re: Novel Netware Allows Login Access With No Passwords
SecurityTracker Alert ID:  1001085
SecurityTracker URL:  http://securitytracker.com/id/1001085
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 14 2001
Impact:   User access via network

Version(s): Netware 3.1-5.1
Description:   A vulnerability has been reported in the default configuration of Novell Netware that allows login access with no passwords.

A user reports that an exploit may follow the following steps in using an API called ChangeToClientRights:

"1. Login as printer.
2. Wait for supe/admin person to print something.
3. Execute ChangeToClientRights.
4. Do bad things."

The user also indicates that there is some code at http://www.nmrc.org/files/netware/netware.zip and somewhere on Packetstorm (http://packetstorm.securify.com/) that may perform some of these steps.

Impact:   An attacker can log into a Netware network using a Print Server account and obtain the rights of the container that the Print Server resides in.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.novell.com (Links to External Site)
Cause:   Authentication error

Message History:   This archive entry is a follow-up to the message listed below.
Mar 12 2001 Novel Netware Allows Login Access With No Passwords



 Source Message Contents

Subject:  Re: Vulnerability in Novell Netware


I think the main issue regarding the Novell print queue thing does involve
logging in via APIs and not using the client software. By specifying your
object type as that of a printer (something the client code does not
support) you can log in as the printer. And yes you can brute force the
password since Intrusion Detection does not apply here.

The main reason for gaining access to the server this way is because the
printer objects have access to an API call called ChangeToClientRights.
The sploit is supposed to go:

1. Login as printer.
2. Wait for supe/admin person to print something.
3. Execute ChangeToClientRights.
4. Do bad things.

Supposedly several people have had the code to do this for a while. It is
one of those 0-day things Netware hackers trade ;-) Anyway, there is some
code at http://www.nmrc.org/files/netware/netware.zip that is supposed to
do a lot of this stuff. I couldn't get it to work on 5.x SP2, and can't
really vouch for it, but everyone is free to try it out. It is also
somewhere on Packetstorm as well.

-         Simple Nomad          -     "No rest for the Wicca'd"     -
-      thegnome@nmrc.org        -                                   -
-  thegnome@razor.bindview.com  - www.nmrc.org   razor.bindview.com -


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC