Possible privilege escalation with NDS for NT

[nobody <pentester () yahoo com>]

The following security exposure may or may not exist
for any shop running NDS for NT. We contacted Novell
last August with this exposure.  They failed to
respond. We later contacted Simple Nomad and he did a
good job bringing the vulnerability to Novell's
attention.  

Novell indicates that this is really a "admin snafu"
on our part.  Since the Novell manuals do not warn you
against doing this I thought it best to submit this to
BUGTRAQ so that other NDS/NT shops can avoid making
the same error ( if indeed it is an error !).

Platform : Novell NetWare 5.x (NDS tree)  - NT domain 
machines are NT 4.0 SP6a  Application : NDS for NT.
The NT SAM is effectively replaced by routing all NT
Domain calls to NDS via TCP port 427 (and maybe other
udp ports)

The Novell 32bit client on the desktop is 4.80 and it
replaces the NT GINA.

Summary:

Given a valid Novell NDS account of any security level
it may be possible to gain access to any NT domain
machine (except the PDC/BDC) as "Domain Admin" by
using another NDS account (that must be configured as
below) and supplying no password.

The NDS_ADM account that will be exploited:
Any NDS account in the NDS tree that has been checked
as having "domain admin" rights over the NT domain can
be used - without supplying a password. This account
must not - repeat-  not exist in the NT domain.  If
the account does exist in the NT domain this will not
work. We verified that our particular account had a 14
character (complex password) in the NDS tree - yet the
exploit allows a "null" password to be used. 

Requirements and verification of the exploit:

You will use 2 seperate acounts:  a low level user
account and a supposedly misconfigured "admin" account
(shown as NDS_ADM) - configured as above.

1. Use an NT machine that is a member of the NT domain
that the NDS tree manages
2. Verify that your NDS_ADM account - has "domain
admin rights" over the NT domain.  This is the key
portion of the vulnerability.
3. Verify that your NDS_ADM account does not exist in
the NT domain (i.e.: you cannot display it with any NT
tool (net user, user manager etc..)) - the account can
only be seen wtih NetWare tools
4. Ensure that you are have logged into the NDS domain
as an ordinary user with your low level account
5. Verify that you do not have current access (as
domain admin) to the target NT domain machine you are
about to authenticate to as 'domain admin"  One test
is to try to access the default shares like  C$, D$
etc..

If the above is verified then you can try to exploit
the vulnerability by doing:

from a DOS prompt:  (text may be wrapped)

c:>net use \\target-IP\ipc$ /user:NDS_ADM *     
Type the password for \\target-IP\ipc$:         
The command completed successfully.

(the * prompts you for a password)
(simply hit enter when you get the: Type the..message)
(Do not qualify the NDS_ADM name with the name of the 
NT DOMAIN.)
(The target-IP is any NT machine joined to the domain
- but cannot be the PDC/BDC)

If the above completes successfully - you can now
verify that you have "domain admin" rights on the
target-IP machine.  Try accessing a default share like
C$

The fix is to remove the check box for "admin rights
on the NT Domain" from the NDS account NDS_ADM. 
Novell indicates that this is our "error" - yet I
cannot find a reference to this behavior - anywhere.

I wonder if other shops have this exposure. Anyway,
the intent is to warn other NDS/NT shops that this
can happen to them.  

YMMV




__________________________________________________
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions! 
http://auctions.yahoo.com