Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

An attack against the NetWare login protocol.

From: gregmi () galileo mis net (Greg Miller)
Date: Sat, 28 Sep 1996 03:13:13 GMT

        I have successfully implemented this attack against a 3.12 server, the
exploit is available on my web page in the Novell section.  A breif explanation
of the attack follows:



                        An Explanation of NOCRYPT.EXE
                                Greg Miller
                            September 26, 1996


        The NetWare login protocol consists of three packet exchanges between
the server and the client.  First the client sends a request for a login key,
the server generates a random eight byte value and sends it to the client.
Then the client sends a request for for the user ID of the user loging in, the
server looks up the user ID in the bindery and sends it to the client.
Finally, the client computes X=hash(UID,password) and Y=hash(X,login key) and
sends the result to the server.  The server retrieves X'=hash(UID,password)
stored in the bindery and computes Y'=hash(X',login key).  If Y=Y', the client
is granted access as the user.  If both the client and server agree to use
packet signatures, both parties then compute Z=hash(X,c) (where c is some
constant value) which they will use as a shared secret for authentication.
The following chart gives a graphical representation of the protocol:

        Client                                                          Server

Request Login  Key      ------------------------------------------------>

          <------------------------------------------------       Login Key

Request User ID         ------------------------------------------------>

          <------------------------------------------------       UID of client

Compute X=hash(UID,password)                      Compute X'=hash(UID,password)
Compute Y=hash(X,login key)                       Compute Y'=hash(X,login key)

Request Authentication  ------------------------------------------------>
If Y=Y', Access is Granted

Comput Z=hash(X,c)                                Compute Z=hash(X,c)


        When a user Alice logs in, an attacker Bob can interrupt this protocol
sequence and gain access as Alice without knowing her password.  In order for
the procedure to work, Bob must be on a network where he can observe the
traffic between Alice and the server, and Bob must be able to respond to
Alice's requests faster than the server.
        First Bob sends a request to the server to login, and the server sends
Bob a login key R".  Then Alice requests a login key from the server, Bob sees
the request and spoofs a reply as the server which sends Alice R" as her login
key.  The server receives Alice's request and sends her R as her login key,
when Alice receives R she will discard it as a duplicate.  Alice requests her
UID from the server, and the server responds with her UID.  Alice computes
X=hash(UID,password) and Y=hash(X,R") and sends the result to the server.  The
server computes Y'=hash(X,R), since Y' is not equal to Y, Alice is denied
access.  Meanwhile, Bob saw Alice's Y submitted to the server, he retrieves
this value from the network and sends it to the server for authentication as
Alice.  The server computes Y"=hash(X,R"), sice Y = Y" Bob is granted access
as Alice.  Bob requests not to sign packets, if the server does not require
all clients to sign packets, then Bob is allowed to masqurade as Alice.

        Alice                           Bob                     Server

                                Requests Login Key R"  ---->

                                                       <---- Sends R" to Bob

Requests Login Key R    ----------------------------------->

                        <----   Sends R" to Alice
                        <----------------------------------- Sends R to Alice
Receives R" first
Discards R as a duplicate

Requests UID for Alice  ----------------------------------->

                        <----------------------------------- Sends UID of Alice

Computes X=hash(UID,password)
Computes Y=hash(X,R")
Sends Y to the server   -----------------------------------> Computes
                                                                Y'=hash(X,R)
                                Sees Y and retrieves it.     Y != Y',
                                                                access is denied

                                Sends Y for             ---> Computes
                                        authentication          Y"=hash(X,R")
                                                             Y"=Y, access is
                                                                granted

                                Refuses to sign packets      If all clients are
                                                             not REQUIRED to
                                                             sign packets,
                                                             access is granted.

        There may be a second attacker, Joe, waiting for Alice to log in
without using packet signatures.  As a result, Joe can highjack Bob's
connection as Alice.


God is a comedian playing to an audience too afraid to laugh.
Greg Miller: Programmer/Analyst (gregmi () mis net)
http://grendel.ius.indiana.edu/~gmiller/
Previous By Date Next
Previous By Thread Next

Current thread: