Bugtraq mailing list archives
An attack against the NetWare login protocol.
From: gregmi () galileo mis net (Greg Miller)
Date: Sat, 28 Sep 1996 03:13:13 GMT
I have successfully implemented this attack against a 3.12 server, the exploit is available on my web page in the Novell section. A breif explanation of the attack follows: An Explanation of NOCRYPT.EXE Greg Miller September 26, 1996 The NetWare login protocol consists of three packet exchanges between the server and the client. First the client sends a request for a login key, the server generates a random eight byte value and sends it to the client. Then the client sends a request for for the user ID of the user loging in, the server looks up the user ID in the bindery and sends it to the client. Finally, the client computes X=hash(UID,password) and Y=hash(X,login key) and sends the result to the server. The server retrieves X'=hash(UID,password) stored in the bindery and computes Y'=hash(X',login key). If Y=Y', the client is granted access as the user. If both the client and server agree to use packet signatures, both parties then compute Z=hash(X,c) (where c is some constant value) which they will use as a shared secret for authentication. The following chart gives a graphical representation of the protocol: Client Server Request Login Key ------------------------------------------------> <------------------------------------------------ Login Key Request User ID ------------------------------------------------> <------------------------------------------------ UID of client Compute X=hash(UID,password) Compute X'=hash(UID,password) Compute Y=hash(X,login key) Compute Y'=hash(X,login key) Request Authentication ------------------------------------------------> If Y=Y', Access is Granted Comput Z=hash(X,c) Compute Z=hash(X,c) When a user Alice logs in, an attacker Bob can interrupt this protocol sequence and gain access as Alice without knowing her password. In order for the procedure to work, Bob must be on a network where he can observe the traffic between Alice and the server, and Bob must be able to respond to Alice's requests faster than the server. First Bob sends a request to the server to login, and the server sends Bob a login key R". Then Alice requests a login key from the server, Bob sees the request and spoofs a reply as the server which sends Alice R" as her login key. The server receives Alice's request and sends her R as her login key, when Alice receives R she will discard it as a duplicate. Alice requests her UID from the server, and the server responds with her UID. Alice computes X=hash(UID,password) and Y=hash(X,R") and sends the result to the server. The server computes Y'=hash(X,R), since Y' is not equal to Y, Alice is denied access. Meanwhile, Bob saw Alice's Y submitted to the server, he retrieves this value from the network and sends it to the server for authentication as Alice. The server computes Y"=hash(X,R"), sice Y = Y" Bob is granted access as Alice. Bob requests not to sign packets, if the server does not require all clients to sign packets, then Bob is allowed to masqurade as Alice. Alice Bob Server Requests Login Key R" ----> <---- Sends R" to Bob Requests Login Key R -----------------------------------> <---- Sends R" to Alice <----------------------------------- Sends R to Alice Receives R" first Discards R as a duplicate Requests UID for Alice -----------------------------------> <----------------------------------- Sends UID of Alice Computes X=hash(UID,password) Computes Y=hash(X,R") Sends Y to the server -----------------------------------> Computes Y'=hash(X,R) Sees Y and retrieves it. Y != Y', access is denied Sends Y for ---> Computes authentication Y"=hash(X,R") Y"=Y, access is granted Refuses to sign packets If all clients are not REQUIRED to sign packets, access is granted. There may be a second attacker, Joe, waiting for Alice to log in without using packet signatures. As a result, Joe can highjack Bob's connection as Alice. God is a comedian playing to an audience too afraid to laugh. Greg Miller: Programmer/Analyst (gregmi () mis net) http://grendel.ius.indiana.edu/~gmiller/
Current thread:
- An attack against the NetWare login protocol. Greg Miller (Sep 27)