Bugtraq mailing list archives
Re: Novell Pandora Hack
From: thegnome () NMRC ORG (Simple Nomad)
Date: Tue, 13 Apr 1999 12:03:05 -0500
On Mon, 12 Apr 1999, Jeremy M. Guthrie wrote:
I had a friend show me the Novell TID: 2941119 about what Novell calls the "Pandora Hack". I suggests patching Netware to at least SP5 and setting client/server signatures to 3. I was under the impression that the signature fix did not take care of the issue. Comments???? It looks like Novell wants you to see the error messages... then figure out a corrective action against the attacker. Or I could be on crack.
I thought crack ran on Unix...;-) There are two things you need to do to stop the Pandora attacks from succeeding - load up the correct DS.NLM (hence the SP5B fix), and have SET NCP PACKET SIGNATURE OPTION=3 somewhere before this NLM loads. Putting the SET statement at the beginning of either the STARTUP.NCF and AUTOEXEC.NCF is fine. I'd also recommend binding protocols to cards last. The client packet signature settings must be on at least 1 (which is the default) otherwise you will not be able to log in. This means proper protection from Pandora will involve updating any stone age client software. That error is supposed to be there anyway -- that was the original problem, you could bypass all of the signature stuff and NCP spoof your way onto the server with elevated privs. Yes the default out of the box settings on Netware 4.x leaves you vulnerable to attack. By default Netware 5 uses IP instead of IPX, but of course Novell's IP stack is susceptable to sequence prediction so you stand the same theoretical risk (Pandora is IPX-based only). Of course spoofing the source of a Pandora attack can have other effects with these security measures in place, since you could fill up the SYS volume (stopping all server processing) with "invalid security signature" messages. There is no "last message repeated 200,000 times" log entry in Netware.... Simple Nomad // thegnome () nmrc org // ....no rest for the Wicca'd.... www.nmrc.org //
Current thread:
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Mark Crispin (Apr 08)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Olaf Kirch (Apr 09)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Mark Crispin (Apr 09)
- Re: ipop3d (x2) / pine (x2) / ... GvS (Apr 11)
- Re: ipop3d (x2) / pine (x2) / ... Thomas Roessler (Apr 12)
- [support_feedback () us-support external hp com: Security Bulletins Patrick Oonk (Apr 13)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Mark Crispin (Apr 09)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Olaf Kirch (Apr 09)
- Patrol security bugs fcosta (Apr 09)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight M.C.Mar (Apr 09)
- New Novell Remote.NLM Password Decryption Algorithm with Exploit dreamer () RELIA NET (Apr 09)
- Novell Pandora Hack Jeremy M. Guthrie (Apr 12)
- Re: Novell Pandora Hack Simple Nomad (Apr 13)
- Re: Novell Pandora Hack Iain P.C. Moffat (Apr 13)
- aDSL routers David Brumley (Apr 13)
- Re: aDSL routers Derek Vadala (Apr 14)
- aDSL routers Brad Zimmerman (Apr 14)
- Re: aDSL routers Truman Boyes (Apr 14)
- New Novell Remote.NLM Password Decryption Algorithm with Exploit dreamer () RELIA NET (Apr 09)