💾 Archived View for spam.works › mirrors › textfiles › hacking › novell.hac captured on 2023-06-14 at 16:54:46.

View Raw

More Information

-=-=-=-=-=-=-


Date and Time: 09-26-1992 at 03:21:58
Originated By: Brett Warthen (BRETT @ INFINIE)
--------------------------------------------------------------------------
There have been some discussions on various mailing lists over the past 
couple of weeks regarding security holes in NetWare.  So, I thought it 
might be prudent to pass along some information before any rumors get out 
of hand.
 
I don't want to create any alarm or encourage attempts to break 
network security.  I also must state up front that I personally find the 
actions of the Dutch Novers s mbe tremely
questionable.  While keeping potential security breaches secret puts the 
public at risk by not being able to protect themselves from the 
risk...making widespread announcements about such breaches to gain 
publicity, before giving the manufacturer a chance to address the problem 
is irresponsible and just creates hysteria.
 
While I hesitate to mention these issues any further, I know that these 
are the types of issues that the trade magazines tend to pick up...confuse 
with incomplete and inaccurate facts...and leave your boss and auditing 
department breathing down your neck.
 
The most recent security hole was exposed by a group in the Netherlands, 
where they demonstrated that a program running on one network work station 
could pretend to be another user currently signed onto the same file 
server.  This task requires quite low level programming, and API 
information that is not generally published, where a program generates a 
network request that looks like it came from a different workstation on 
the network.
 
Novell has acknowledged this "problem", and has released a patch for 
NetWare 3.11 (SECURE.ZIP in NOVLIB Library 1 on CompuServe), pointing out 
that this problem is not just a NetWare problem, but also exists with 
other network operating systems.
 
The press releases from the Dutch Novell Users' Group and Novell are 
provided below FYI...
 
A second "security hole" is merely an old one resurfacing, one that 
affects versions of NetWare prior to NetWad 3re 
particularly if intrudeectas turned off) there was a bug in the 
login validation routines, where it was possible for a program to 
repeatedly retry access to the file server and gain Supervisor access to 
the system.
 
This second security hole does *NOT* exist in NetWare 2.2 or 3.11, and 
Novell released patches for other versions of NetWare to fix this 
problem.  SEC286.ZIP and SEC386.ZIP are the filenames on CompuServe.
 
Other stories come up from time to time detailing various security 
threats...but it should be stressed that these other methods require 
physical access to the file server.  Physical security of the file server 
is a necessity in any truly secure environment.  A protected RCONSOLE 
password is also recommended.
 
=========== Dutch NetWare Users' Group Press Release =================
P R E S S   R E L E A S E
September 17th, 1992
 
          SECURITY HOLE DISCOVERED IN NOVELL NETWARE
 
During the LanVision event, organised by the Duch Novell User group (NGN)
at Bunnik, in the Netherlands, a security problem was discovered in
Novell's NetWare.  With NetWare, Novell has a 70% market share of installed
network operating systems.
 
One of the members of the NGN demonstrated the ability to obtain the
authorization level of any logged in user.  In this fashion, any user can
aquire the same rights of any other user, e.g. the supervisor, or a
financial director.
 
The program uses the ability to send a command to the file server such that
the server "believes" that the command was issued from the other
workstation.  Once this is accomplished, the user is able to send commands
which will function as if the privileged user had sent them.
 
The NGN sent the program and source code to Novell developers.  The NGN
urged Novell to find a solution for this problem as soon as possible, due
to the severity of the problem.  NGN members are developing a program that
detects unauthorized usage via this particular seceakness and warns
the supervisor.  To the best of NGN's knowledge, the prograich ke
advantage of the problem is not freely available at the present time.
 
The Dutch Novell User group recommendst i to melus with age of company confident
ial information.  Secondly, the
NGN advisesthat uers should rfrain from using the supervisor account
unless noone else is working on the network.
 
NGN experts have reason to believe thatthe technique used, which is known
as a physical attack on the wire, could be implemented on other network
operating systems as well.
 
---------
Editorial comments
 
The Dutch Novell User group (NGN) organises the LanVision event every year.
It isan opprtunity to attend a 'school' for supervisors where suppliers
inform supervisors about the latest news and trends concerning the
networking industry.  The LanVision event was an enormous success, with
over 1200 supervisors attending the meeting and nearly 300 lectures being
held.
 
The NGN, a professional user group for all network users, has the goal of
improving the efficiency of the supervisor.  The object of NGN is more than
just a get-together of supervisors, rather the supervisor should be able to
accelerate their knowledge and growth.  NGN is a member of NetWare Users
International (NUI), with more than 120,000 members worldwide.  At more
than 2000 active members, the NGN is one of the largest user groups in the
world, and by far the most active user group in Europe.
 
You may contact the NGN office during office hours at +31 3446 1323 (CET).
 
=============== Novell Press Release from SECURE.ZIP File ===============
                                MEDIA ALERT
 
                      NOVELL ENHANCES NETWARE SECURITY
 
Novell today announced that it has enhanced NetWare security by developing
and making available software enhancements for its NetWare v3.x, NetWare
v2.x and NetWare for Unix customers.  These enhancements are designed to
counteract a recently discovered security threat to network operating
systems.
 
The security threat, proven in a Netherlands academic laboratory, is not
currently found in commercial environments and requires the hacker to forge
requests on the wire in the name of a more privileged user.  However, Novell
considers any threat, even a potential threat, to network security to be
serious and has worked quickly to develop and provide solutions for its
customers.
 
Because this security threat affects other network operating systems, it is
an industry-wide problem.  In addition to being the first to address this
security threat for its customers, Novell is willing to work closely with
other companies in the industry to ensure that in general networks are as
secure as possible.
 
Novell is also continuing its education efforts to ensure that customers
have the most secure network environments available.  Novell recommends 
that all customers who are concerned about security activate all applicable 
NetWare security features and install the most recent versions of system 
software, client software and patches.
 
Novell will make the software enhancements available on NetWire and NetWare
Express for NetWare v3.x and NetWare v2.x customers.  The enhancements will
also be given directly to NetWare for Unix partners so that they can make
the solution available to their customers.
 
============ Novell Technical Bulletin from SECURE.ZIP ================
                          NOVELL TECHNICAL BULLETIN
 
          TITLE:    Physical Security of a NetWare Server
   DOCUMENT ID#:    TB.P.287
           DATE:    12APR91
        PRODUCT:    NetWare
PRODUCT VERSION:
     SUPERSEDES:    NA
 
        SYMPTOM:    NA
 
ISSUE/PROBLEM
 
   It is necessary to reiterate the need to physically secure a NetWare
   server.  Some NetWare administrators may not be aware of this security
   measure.  Precautions, such as those implemented in the mainframe and
   minicomputer environment, should also be taken to physically protect the
   server from unauthorized use in a NetWare environment.  If the server is
   not secured in a locked area, unauthorized users may be able to down the
   server and remove devices; destroy data and system configuration; and
   otherwise gain access to sensitive information.
 
   In addition to securing the server, NetWare provides a number of security
   features that help protect the server console and system from misuse.
   The following are functions that can be used to enhance server security
   on a NetWare operating system.
 
     ~    Issue the SECURE CONSOLE command from a NetWare v3.x console.  By
          doing this, the system will only load NLMs from SYS:SYSTEM.
 
     ~    Select Lock File Server Console from the NetWare v3.x MONITOR.NLM
          main menu.  This will password-protect the server console.
 
     ~    Protect RCONSOLE.NLM from a NetWare v3.x system with a password.
 
     ~    Use other security features of NetWare v2.x and v3.x such as
          intruder detection, forced password changes, limited grace logins,
          etc.
 
     ~    Use server hardware password protetion if available.
 
   These advanced features enhance system security, but do not remove the
   need to place the server in a secure location.  NetWare security features
   combined with physical protection of the server affords the system
   administrator the highest server security possible in the NetWare
   environment.
================  End Novell Technical Bulletin  =========================
 
------------------------+-------------------------------------------------
 Brett Warthen          |        MHS:  Brett @ Infinite (via NHUB/CSERVE)
 Infinite Technologies  | CompuServe:  >MHS:Brett@Infinite
 11433 Cronridge Drive  |   Internet:  Brett@Infinite.mhs.compuserve.com
 Suite H                |        FAX:  +1-410-363-3779
 Owings Mills, MD 21117 |       Fone:  +1-410-363-1097
------------------------+-------------------------------------------------
 
Damn, sure didn't import to well on the upload, but I think it is still 
readable. Anyone have any friends in the Netherlands? Wouldn't mind having a 
copy of that program or at least know what API calls they use that aren't 
documented.


Downloaded From P-80 International Information Systems 304-744-2253