[19642] in bugtraq
Re: Vulnerability in Novell Netware
daemon@ATHENA.MIT.EDU (Jacek Lipkowski)
Wed Mar 14 03:47:53 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0103131125160.25835-100000@acid.ch.pw.edu.pl>
Date: Tue, 13 Mar 2001 12:03:48 +0100
Reply-To: Jacek Lipkowski <sq5bpf@ACID.CH.PW.EDU.PL>
From: Jacek Lipkowski <sq5bpf@ACID.CH.PW.EDU.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.OSF.4.21.0103121517190.29361-100000@bofh.physics.umd.edu>
It has been a while since i did anything with netware, but i seem to
remember, that under netware 3.x this bug also existed. There was
usually a printer object (object type 6 or 7 if i remember correctly),
that often had a name the same as the server (but not always). This object
had no LOGIN_CONTROL (it may have had another name) property (and thus
had no password). Whis is interesting is that netware 3.x had a function
called something like ChangeToClientRights(), which you could call to
switch your privilege (but you had to be object type 6 or 7 or whatever it
was). This function worked similar to setuid(), it was meant to allow the
printer object to take jobs out of the queue with permissions of the user
who submitted them.
The bugs in later netware versions that people have described are probably
for reasons of backward compattibility or something.
jacek
ps. it has been 4 years since i've done any netware programming/security
work so this may be totally inaccurate.
