Bugtraq mailing list archives
Re: NMRC Advisory - Default NDS Rights
From: don_costello () HQ DLA MIL (costello, don)
Date: Sat, 19 Sep 1998 16:47:30 -0400
First of all, simply displaying login ID's or their context is not necessarily a security risk (millions disagree, I know, but it's not the real risk), provided all other aspects of the security system are in tact. What IS a risk is faulty passwords (ie blank, easily guessed, never expire, etc). In this case, the real risk is the carelessness of the administrator, not a flaw with the system. What you're suggesting here is not really a fix, rather it is a removal of necessary functionality needed by "trusted" users of a Novell network. In fact, Novell has said that it is widely known that, if the presence if CX or NLIST poses some paranoia in your environment, you should delete these utilities from SYS:LOGIN, not modify the rights structure of the NDS tree. (I happened to learn this in training but others will more than likely concur). A non-logged in connection NEEDS read access to containers in order to set their starting context as well as walk the tree if the default context is not correct. By virtue of READ being on the container, all objects in that container can be displayed. It's a judgement call whether or not this poses any *real* threat. Besides, just to get access to the SYS:LOGIN directory itself is quite a touch trick. Unless *all* routers along a given path are running IPX or the site is running Netware IP, it would take some pretty nifty talent to even get to the LOGIN directory. Of course, you can never prevent the internal threat. -- dcc -- -------------- [NDS for NT Project Manager at Novell]: "We've got some good new and some bad news for you: The good news is, we don't mess with NT security. The bad new is....We don't mess with NT security..."
-----Original Message----- From: Simple Nomad [SMTP:thegnome () NMRC ORG] Sent: Friday, September 18, 1998 5:19 AM To: BUGTRAQ () netspace org Subject: NMRC Advisory - Default NDS Rights __________________________________________________________________________ _____ Nomad Mobile Research Centre A D V I S O R Y www.nmrc.org Simple Nomad [thegnome () nmrc org] 16Sep1998 __________________________________________________________________________ _____ Platform : Novell NetWare Application : NDS Severity : Medium Synopsis -------- Default settings during NDS installation reveal account names and other information to users who have not logged in. Learning potential account names is usually the first step before an intruder attacks a computer system. Tested configuration -------------------- The default settings were tested with the following configuration : Novell NetWare 4.1, 4.11 Service Pack 5 NDS 5.99 Various Clients It has also been confirmed by others outside of NMRC on virtually all NetWare systems > 3.x. Bug(s) report ------------- CX.EXE and NLIST.EXE both exist by default in the SYS:LOGIN directory. Upon loading the client software, the client connects to the preferred server with a NOT-LOGGED-IN connection. The unauthenticated client has access to CX.EXE and NLIST.EXE. This access in itself is not the problem, the problem lies in the default Read access at the root of the tree. These rights are "inherited" down the tree unless specifically blocked, allowing read access to most NDS objects in the tree. Most objects in the tree have at least Read access to the object type and name by default. The following commands can be issued by a client connected to a NetWare 4.x or IntranetWare server, revealing most if not all user account names, in addition to most if not the entire tree layout. CX /T /A /R - list all readable user and container object names in tree, and can give a rather accurate layout of the containers and basic contents NLIST USER /D - list info regarding user names in current context NLIST GROUPS /D - list groups and group membership in current context NLIST SERVER /D - list server names and OS versions, and if attached reveal if accounting is installed or not NLIST /OT=* /DYN /D - list all readable objects, including dynamic objects, names of NDS trees, etc Through a combination attaching to different servers and switching contexts, a potential intruder could determine the general layout regarding NDS, potentially even which servers contain certain replicas of the NDS database. The main information revealed is a list of potential user accounts for an intruder to use to gain access to a NetWare server. Once in, even limited accounts can re-run the above commands revealing even more information than before. The scenario is further damaging due to the fact that Intruder Detection is off by default. Solution/Workaround ------------------- Disable public Read access from the root of your NDS tree. Ensure all accounts have passwords, and that all assigned passwords are not easily guessed. Ensure Intruder Detection is turned on at the root of your NDS tree. Comments -------- This is certainly not a new problem. The revealing nature of CX has been discussed on USENET and has been reported in the NetWare Hack FAQ. The problem is that installations of NDS left rather unsecure seems to go on repeatedly despite the earlier warnings. NMRC is unaware of any tools or processes that might "undo" a workaround (outside of a tape restore), but it advised that after using any NDS global utility such as DSREPAIR or DSMAINT the rights should be rechecked to ensure all security safeguards are in place. It was reported several months ago to NMRC that this could happen, although we were unable to reproduce the results. YMMV. Novell is aware of this issue as the CX problems were made public more than a year ago, however both CX and NLIST are working as designed. This doesn't excuse Novell from responsibility - adequate documentation should be provided outlining the danger of not properly configuring NDS rights. While some environments might require a fairly open NDS tree, administrators should be given more secure options during initial server setup, or perhaps some design issues involving users not yet authenticated to the server need to be revisted. __________________________________________________________________________ _____
Current thread:
- Re: NMRC Advisory - Default NDS Rights costello, don (Sep 19)
- Re: NMRC Advisory - Default NDS Rights Simple Nomad (Sep 19)
- Re: NMRC Advisory - Default NDS Rights Bernd Eckenfels (Sep 19)
- Vulnerability in Lyris Listserver Jimmy Lee Alderson (Sep 19)
- Re: NMRC Advisory - Default NDS Rights Randy Richardson (Sep 20)
- <Possible follow-ups>
- Re: NMRC Advisory - Default NDS Rights M. Baker (Sep 19)