[19635] in bugtraq
Re: Vulnerability in Novell Netware
daemon@ATHENA.MIT.EDU (Simple Nomad)
Wed Mar 14 00:06:15 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.BSF.4.10.10103131614080.22385-100000@shell.fastlane.net>
Date: Tue, 13 Mar 2001 16:33:47 -0600
Reply-To: Simple Nomad <thegnome@NMRC.ORG>
From: Simple Nomad <thegnome@NMRC.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
I think the main issue regarding the Novell print queue thing does involve
logging in via APIs and not using the client software. By specifying your
object type as that of a printer (something the client code does not
support) you can log in as the printer. And yes you can brute force the
password since Intrusion Detection does not apply here.
The main reason for gaining access to the server this way is because the
printer objects have access to an API call called ChangeToClientRights.
The sploit is supposed to go:
1. Login as printer.
2. Wait for supe/admin person to print something.
3. Execute ChangeToClientRights.
4. Do bad things.
Supposedly several people have had the code to do this for a while. It is
one of those 0-day things Netware hackers trade ;-) Anyway, there is some
code at http://www.nmrc.org/files/netware/netware.zip that is supposed to
do a lot of this stuff. I couldn't get it to work on 5.x SP2, and can't
really vouch for it, but everyone is free to try it out. It is also
somewhere on Packetstorm as well.
- Simple Nomad - "No rest for the Wicca'd" -
- thegnome@nmrc.org - -
- thegnome@razor.bindview.com - www.nmrc.org razor.bindview.com -
