Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: NetWare Screensaver Authentication Bypass From The Local Console

from [Brad Bendily] Network Security [Permanent Link]
Subject: Re: NetWare Screensaver Authentication Bypass From The Local Console
Date: Tue, 14 Dec 2004 11:00:57 -0600 (CST) 

As we all know security comes in layers. The only way this exploit will
work is if someone is standing at the server's console. In this way
all servers are subject to vulnerability and I have discovered this 
method of hacking servers. Ok, not really. But I can tell you that if I
have access to the server console then I can get access to the box.

This vulnerability is not new, I had to legitimately hack the password
for a couple of my NetWare servers and I did it 3-4 years ago using
this same hack. Preferrably I would rather Novell NOT fix this. It's
a great "just in case" tool.

I think this is a waste of bandwidth.

Brad B.

On Sun, 12 Dec 2004, Adam Gray wrote:


Novacoast Security Advisory 
Novell Netware 5/5.1/6.0/6.5 Vulnerability 


Synopsis: 
Novacoast has discovered a vulnerability in the Novell NetWare Operating
System screen saver software. The vulnerability allows a local attacker
to bypass authentication and access the system console. 


Description: 
The Novell Operating System uses the screen saver nlm with lock enabled
to protect access to the console. When the screen saver is locked only a
user in the e-directory tree with supervisor rights to the server object
has the ability to unlock it. It is possible to bypass this
authentication scheme by entering the debugger within NetWare while the
screensaver is running, kill the screensaver process, and resume the
operating system without the screen saver or the access control still
running.

Affected Version: 
Novell NetWare 5.1
Novell Netware 6
Novell NetWare 6.5

Exploit: 
with the screensaver nlm running and in enable lock mode press alt shift
shift esc. Find the screen saver process in memory. Kill it using the
debugger. If you are not sure how to use the NetWare debugger then just
kill the server with the q key and restart it without the autoexec.ncf
running (server -na) edit the autoexec.ncf to keep the screensaver from
running in the future and restart the server normally. The screen saver
will not start again.

Recommended Solution: 
Install the Bordermanager ICSA Compliance kit
      They put the screensaver fix into that patch
      

Status: 
This bug has been submitted to, acknowledged by, and a fix has been
created and included with the Bordermanager ICSA Compliance toolkit.

Additional information can be found at the following location: 
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2969741.htm


Disclaimer: 
Novacoast accepts no liability or responsibility for the 
content of this report, or for the consequences of any 
actions taken on the basis of the information provided 
within. Dissemination of this information is granted 
provided it is presented in its entirety. Modifications 
may not be made without the explicit permission of 
Novacoast. 


Adam Gray 
CTO 
Novacoast, Inc. 
agray_at_novacoast.com 
http://www.novacoast.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  iDEFENSE Security Advisory 12.13.04: Adobe Reader 6.0 .ETD File Format String Vulnerability, customer service mailbox
Next by Date:  Re: Linux kernel IGMP vulnerabilities, Pekka Savola
Previous by Thread:  [Full-Disclosure] NetWare Screensaver Authentication Bypass From The Local Console, Adam Gray
Next by Thread:  [VulnWatch] Multiple vulnerabilities in phpMyAdmin, Nicolas Gregoire
Indexes:  [Date] [Thread] [Top] [All Lists]