NetWare NDS for NT Configuration Error May Lets Remote Users Obtain NT Domain Administration Privileges
SecurityTracker Alert ID: 1003416|
SecurityTracker URL: http://securitytracker.com/id/1003416
(Links to External Site)
Date: Feb 1 2002
User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): NetWare 5.x|
A configuration vulnerability was reported in Novell's NDS for NT. A remote user with a valid NDS account may be able to obtain NT domain administrator privileges on a remote NT server.|
A user with a valid Novell NDS account (regardless of security level) may be able to obtain "Domain Admin" access to any server in an NT domain, except for the primary and backup domain controllers. This may occur in a specific situation. It is reported that any NDS account in the NDS tree that is configured with "domain admin" rights over the NT domain can apparently be accessed with a null password if the account does not exist in the NT domain.
A demonstration exploit scenario is described in the Source Message.
A remote user with an NDS account may be able to obtain domain administrator access on a remote NT server in a certain situation.|
It is reported that Novell has indicated that this is a customer configuration error. The author of the report indicates that there is no apparent mention of this configuration situation in Novell documentation.|
According to the report, the fix is to uncheck the check box for "admin rights on the NT Domain" from any affected NDS account (i.e., one that does not exist on the NT domain).
Vendor URL: www.novell.com/ (Links to External Site)
|Underlying OS: Windows (NT)|
|Underlying OS Comments: Novell NetWare 5.x (NDS tree) with NT 4.0 SP6a; Novell version 4.80 32bit desktop client|
Source Message Contents
Subject: Possible privilege escalation with NDS for NT|
The following security exposure may or may not exist
for any shop running NDS for NT. We contacted Novell
last August with this exposure. They failed to
respond. We later contacted Simple Nomad and he did a
good job bringing the vulnerability to Novell's
Novell indicates that this is really a "admin snafu"
on our part. Since the Novell manuals do not warn you
against doing this I thought it best to submit this to
BUGTRAQ so that other NDS/NT shops can avoid making
the same error ( if indeed it is an error !).
Platform : Novell NetWare 5.x (NDS tree) - NT domain
machines are NT 4.0 SP6a Application : NDS for NT.
The NT SAM is effectively replaced by routing all NT
Domain calls to NDS via TCP port 427 (and maybe other
The Novell 32bit client on the desktop is 4.80 and it
replaces the NT GINA.
Given a valid Novell NDS account of any security level
it may be possible to gain access to any NT domain
machine (except the PDC/BDC) as "Domain Admin" by
using another NDS account (that must be configured as
below) and supplying no password.
The NDS_ADM account that will be exploited:
Any NDS account in the NDS tree that has been checked
as having "domain admin" rights over the NT domain can
be used - without supplying a password. This account
must not - repeat- not exist in the NT domain. If
the account does exist in the NT domain this will not
work. We verified that our particular account had a 14
character (complex password) in the NDS tree - yet the
exploit allows a "null" password to be used.
Requirements and verification of the exploit:
You will use 2 seperate acounts: a low level user
account and a supposedly misconfigured "admin" account
(shown as NDS_ADM) - configured as above.
1. Use an NT machine that is a member of the NT domain
that the NDS tree manages
2. Verify that your NDS_ADM account - has "domain
admin rights" over the NT domain. This is the key
portion of the vulnerability.
3. Verify that your NDS_ADM account does not exist in
the NT domain (i.e.: you cannot display it with any NT
tool (net user, user manager etc..)) - the account can
only be seen wtih NetWare tools
4. Ensure that you are have logged into the NDS domain
as an ordinary user with your low level account
5. Verify that you do not have current access (as
domain admin) to the target NT domain machine you are
about to authenticate to as 'domain admin" One test
is to try to access the default shares like C$, D$
If the above is verified then you can try to exploit
the vulnerability by doing:
from a DOS prompt: (text may be wrapped)
c:>net use \\target-IP\ipc$ /user:NDS_ADM *
Type the password for \\target-IP\ipc$:
The command completed successfully.
(the * prompts you for a password)
(simply hit enter when you get the: Type the..message)
(Do not qualify the NDS_ADM name with the name of the
(The target-IP is any NT machine joined to the domain
- but cannot be the PDC/BDC)
If the above completes successfully - you can now
verify that you have "domain admin" rights on the
target-IP machine. Try accessing a default share like
The fix is to remove the check box for "admin rights
on the NT Domain" from the NDS account NDS_ADM.
Novell indicates that this is our "error" - yet I
cannot find a reference to this behavior - anywhere.
I wonder if other shops have this exposure. Anyway,
the intent is to warn other NDS/NT shops that this
can happen to them.
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions!