[37688] in bugtraq
NetWare Screensaver Authentication Bypass From The Local Console
daemon@ATHENA.MIT.EDU (Adam Gray)
Mon Dec 13 18:00:27 2004
From: Adam Gray <agray@novacoast.com>
To: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com,
vulnwatch@vulnwatch.org
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-nAmp2nEnHhzDmHw/zEp+"
Date: Sun, 12 Dec 2004 17:24:10 -0800
Message-Id: <1102901051.18908.17.camel@aglinux.novacoast.com>
Mime-Version: 1.0
--=-nAmp2nEnHhzDmHw/zEp+
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Novacoast Security Advisory=20
Novell Netware 5/5.1/6.0/6.5 Vulnerability=20
Synopsis:=20
Novacoast has discovered a vulnerability in the Novell NetWare Operating
System screen saver software. The vulnerability allows a local attacker
to bypass authentication and access the system console.=20
Description:=20
The Novell Operating System uses the screen saver nlm with lock enabled
to protect access to the console. When the screen saver is locked only a
user in the e-directory tree with supervisor rights to the server object
has the ability to unlock it. It is possible to bypass this
authentication scheme by entering the debugger within NetWare while the
screensaver is running, kill the screensaver process, and resume the
operating system without the screen saver or the access control still
running.
Affected Version:=20
Novell NetWare 5.1
Novell Netware 6
Novell NetWare 6.5
Exploit:=20
with the screensaver nlm running and in enable lock mode press alt shift
shift esc. Find the screen saver process in memory. Kill it using the
debugger. If you are not sure how to use the NetWare debugger then just
kill the server with the q key and restart it without the autoexec.ncf
running (server -na) edit the autoexec.ncf to keep the screensaver from
running in the future and restart the server normally. The screen saver
will not start again.
Recommended Solution:=20
Install the Bordermanager ICSA Compliance kit
They put the screensaver fix into that patch
=09
Status:=20
This bug has been submitted to, acknowledged by, and a fix has been
created and included with the Bordermanager ICSA Compliance toolkit.
Additional information can be found at the following location:=20
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2969741.htm
Disclaimer:=20
Novacoast accepts no liability or responsibility for the=20
content of this report, or for the consequences of any=20
actions taken on the basis of the information provided=20
within. Dissemination of this information is granted=20
provided it is presented in its entirety. Modifications=20
may not be made without the explicit permission of=20
Novacoast.=20
Adam Gray=20
CTO=20
Novacoast, Inc.=20
agray_at_novacoast.com=20
http://www.novacoast.com=20
--=-nAmp2nEnHhzDmHw/zEp+
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBBvO86oOYS90uI660RAkjBAKCRxFpcnsL1Db9plB7XpX9UMqROFwCfdJVY
GzfJ74pyWs1HBttiy6hRBbM=
=K8yV
-----END PGP SIGNATURE-----
--=-nAmp2nEnHhzDmHw/zEp+--
