Re: Novell Netware 4.X Hidden user accounts

[phayden () MINDSPRING COM (phayden)]

This is normal behaviour.  The NDS database allows all objects to be
managed in this way, and is in fact a strength of NDS security and
management.

The fact that a user can be removed from public view is not special -- in
fact, you could apply this feature to a container and hide an entire
department from public view.  The only reason this works is due to the fact
that the object is a supervisor of itself.  This is not a normal default
value.  By default, a user can only modify a few properties such as his
login script or other specific items.

The reason the user is removed from view is because all the object rights
had been blocked by the filter you invoked.  Had the user not been a
supervisor of himself, or no other user capable of management of the user,
this could not be accomplished.

> From a security standpoint, this is one way to create an account "back
door" into a system.  The rub is that in order to do so, you must first be
supervisor or equiv. to change NDS rights.  There are not very many tools
that will find "hidden" users like these.  Typically, an NLM must run at
the console in system security context to detect these users.

This experiment is covered in Novell training classes, and is used to
demonstrate the flexibility of NDS.  I would contend that it is hardly a
bug -- more likely, an administrator issue!


Pat Hayden

-----Original Message-----
From:   jdrodriguez () FANDAGO READ TASC COM
[SMTP:jdrodriguez () FANDAGO READ TASC COM]
Sent:   Thursday, April 16, 1998 2:59 PM
To:     BUGTRAQ () NETSPACE ORG
Subject:        Novell Netware 4.X Hidden user accounts

Command
        Creating user accounts
Systems Affectted
        Netware 4.X
Problem
Netware allows a user account to become "hidden" and unable to be
managed by native Netware tools including deleting the account.

The following MUST be done as an admin(supervisor)
1)  Start NWADMIN
2)  Create a user
3)  Give the user supervisor equivalence
(Note:  Not required, but why not)
4)  Right click on the user.
5)  Select Trustees
6)  Delete Root and Public trustees
7)  Select the user and change its rights(Object and Property)
8)  Assign ONLY Supervisor
9)  Select Inherited Rights Filter
10) Deselect all values(NO boxes should be marked)
11) Return to main NWADMIN screen(HIT OK TWICE, I think)
12) Refresh the screen(Can be done by clicking on the tree name where
the user account was created)
13) The user account is GONE.

Execute some native Netware commands.  Try this one which will list all
detailed information on all users.
        NLIST USER /D
The newly created account is now missing.

Now try to assign a password to the account.
        SETPASS USERNAME
You get an error message stating that you must be a manager to change
the password.

Solution:  Unknown
Workaround:
To delete this account.  You must start the server in bindery mode.  Add
SET BINDERY CONTEXT command in AUTOEXEC.NCF(Note: You must set the
context to the one
in which the account was created).  Utilize the USERDUMP tool to ID the
account, if you have not done so already.  Next, use CHGPASS to change
the user accounts password.  Login in as that user, and reverse the
previous procedure to hide the user account.  Specifically, adding
PUBLIC and ROOT as trustees.  USERDUMP and CHGPASS are publicly
available tools.