Full Disclosure mailing list archives
Re: NetWare Screensaver Authentication Bypass From The Local Console
From: "Roger McLaren" <RMcLaren () vcss k12 ca us>
Date: Tue, 14 Dec 2004 13:47:36 -0800
This is just another underscore to the fact that physical security is as important as any other part of your security infrastructure. This vulnerability is present in virtually EVERY operating system if you allow a hacker to gain physical access to your server. Whether you boot the server from other media to change the Admin password, add an account, elevate your privileges, or simply copy the password info to crack at your liesure there is always a way if you have physical access. Just my $.02 worth. Roger R. McLaren Systems Support Analyst Information Technology Services Ventura County Superintendent of Schools
Brad Bendily <brad () selu edu> 12/14/2004 9:00:57 AM >>>
As we all know security comes in layers. The only way this exploit will work is if someone is standing at the server's console. In this way all servers are subject to vulnerability and I have discovered this method of hacking servers. Ok, not really. But I can tell you that if I have access to the server console then I can get access to the box. This vulnerability is not new, I had to legitimately hack the password for a couple of my NetWare servers and I did it 3-4 years ago using this same hack. Preferrably I would rather Novell NOT fix this. It's a great "just in case" tool. I think this is a waste of bandwidth. Brad B. On Sun, 12 Dec 2004, Adam Gray wrote:
Novacoast Security Advisory Novell Netware 5/5.1/6.0/6.5 Vulnerability Synopsis: Novacoast has discovered a vulnerability in the Novell NetWare
Operating
System screen saver software. The vulnerability allows a local
attacker
to bypass authentication and access the system console. Description: The Novell Operating System uses the screen saver nlm with lock
enabled
to protect access to the console. When the screen saver is locked
only a
user in the e-directory tree with supervisor rights to the server
object
has the ability to unlock it. It is possible to bypass this authentication scheme by entering the debugger within NetWare while
the
screensaver is running, kill the screensaver process, and resume the operating system without the screen saver or the access control
still
running. Affected Version: Novell NetWare 5.1 Novell Netware 6 Novell NetWare 6.5 Exploit: with the screensaver nlm running and in enable lock mode press alt
shift
shift esc. Find the screen saver process in memory. Kill it using
the
debugger. If you are not sure how to use the NetWare debugger then
just
kill the server with the q key and restart it without the
autoexec.ncf
running (server -na) edit the autoexec.ncf to keep the screensaver
from
running in the future and restart the server normally. The screen
saver
will not start again. Recommended Solution: Install the Bordermanager ICSA Compliance kit They put the screensaver fix into that patch Status: This bug has been submitted to, acknowledged by, and a fix has been created and included with the Bordermanager ICSA Compliance toolkit. Additional information can be found at the following location: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2969741.htm Disclaimer: Novacoast accepts no liability or responsibility for the content of this report, or for the consequences of any actions taken on the basis of the information provided within. Dissemination of this information is granted provided it is presented in its entirety. Modifications may not be made without the explicit permission of Novacoast. Adam Gray CTO Novacoast, Inc. agray_at_novacoast.com http://www.novacoast.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: NetWare Screensaver Authentication Bypass From The Local Console Roger McLaren (Dec 16)
- <Possible follow-ups>
- RE: NetWare Screensaver Authentication Bypass From The Local Console Adam Gray (Dec 16)
- Re: RE: NetWare Screensaver Authentication Bypass From The Local Console James Tucker (Dec 21)
- Re: RE: NetWare Screensaver Authentication Bypass From The Local Console Steve Wray (Dec 22)
- Re: RE: NetWare Screensaver Authentication Bypass From The Local Console James Tucker (Dec 21)