[10206] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Novell Pandora Hack

daemon@ATHENA.MIT.EDU (Sam Morris)
Wed Apr 14 13:13:06 1999

Date: 	Tue, 13 Apr 1999 12:36:48 -0600
Reply-To: Samuel_A._Morris@NOTES.UP.COM
From: Sam Morris <Samuel_A._Morris@NOTES.UP.COM>
To: BUGTRAQ@NETSPACE.ORG

I just went through this extensively with Novell, up to the point of having
the issue declared "CRITSIT" which is their highest level an incident can
be raised to.

By setting the server to reject incomplete NCP packets and those with bad
lengths, and also setting the NCP packet signature level to 3 (all of these
must be set in STARTUP.NCF, before DS.NLM loads...setting these in SERVMAN
will add them into AUTOEXEC.NCF, and you must cut and paste them into
STARTUP.NCF) you will effectively kill the exploit.  You will still see the
utilization rise on the server if someone "attacks" the server, but that is
merely the server rejecting the packet, and not processing it. (The server
HAS to look at the packets coming to it...they are NCP (NetWare Core
Protocol) packets, and to ignore them would effectively render the server
useless.) All that can be done is to have the server reject it and not
process it.

The downside of this all is that the attacker doesn't have to be logged
into the network, and there is no effective way to track the MAC address
they are coming from, as the packets take on the MAC address of the spoofed
connection. I would suspect thought that if you thought someone was
attacking your servers, you could eventually figure out where that person
is, and take appropriate administrative actions. But for Novell's part,
there isn't much more one could expect them to do.

Keep in mind that setting NCP packet signature to level 3 will prevent
people using microsoft's client for NetWare from being able to log in.

Sam







"Jeremy M. Guthrie" <jguthrie@CINET.NET> on 04/12/99 11:37:18 AM

Please respond to "Jeremy M. Guthrie" <jguthrie@CINET.NET>

To:   BUGTRAQ@NETSPACE.ORG
cc:    (bcc: Samuel A. Morris)
Subject:  Novell Pandora Hack




I had a friend show me the Novell TID: 2941119 about what Novell calls the
"Pandora Hack".  I suggests patching Netware to at least SP5 and setting
client/server signatures to 3.  I was under the impression that the
signature fix did not take care of the issue.  Comments????  It looks like
Novell wants you to see the error messages... then figure out a
corrective action against the attacker.  Or I could be on crack.

--

Jeremy M. Guthrie
Network Administrator
Certified Novell Engineer
Custom Internetworking      email:  jguthrie@cinet.net
6404 Odana Rd.              Phone:  (608)-663-8000
Madison, WI  53719          FAX:    (608)-276-6406

home help back first fref pref prev next nref lref last post