Bugtraq mailing list archives
Re: Vulnerability in Novell Netware - Yeah, it's a user. So what?
From: Kain <kain () KAIN ORG>
Date: Mon, 12 Mar 2001 08:17:13 -0600
On Thu, Mar 08, 2001 at 01:36:23PM -0700, Vulnerability Help wrote:
The information in this advisory was supplied by Chris Hughes <hughescj () usa net>. This security advisory is not endorsed by Security-Focus.com. Vulnerability in Novell Netware Date Published: 03/08/01 Advisory ID: n/a Bugtraq ID: 2446 CVE CAN: None currently assigned. Title: Novell Netware Print Server Vulnerability Class: Configuration Error Remotely Exploitable: Yes Locally Exploitable: Yes Vulnerability Description: Novell Netware allows a user to log into a Novell Network by using a Printer Server as the username. By default, Novell Print Servers have blank passwords. In addition, Novell Print Servers do not have intruder detection capability as a user account would, so they are vulnerable to a brute force attack without risk of account lockout. When a Print Server is logged into as a User, the account will have the same rights as are assigned to the container that it resides in.
I haven't worked with netware since 4.11, but I remember that the documentation (Netware Manuals) covers this. It mentions that to handle print-spools and the like, Netware Printer Servers need a user object to work as and to protect that user accordingly. Someone correct me if I'm wrong here. Granted, with NDS, it may no longer have been necessary to have that user, but Novell wanted to have Bindery compatability. There *ARE* ways to works around this, even though it still is a design flaw, it's not a severe insecurity IMHO. -- ** Bryon Roche, Kain <kain () chaosium net>
Attachment:
_bin
Description:
Current thread:
- Vulnerability in Novell Netware Vulnerability Help (Mar 09)
- Re: Vulnerability in Novell Netware - Yeah, it's a user. So what? Kain (Mar 12)
- Re: Vulnerability in Novell Netware - Yeah, it's a user. So what? Adrian Bolzan (Mar 13)
- <Possible follow-ups>
- Re: Vulnerability in Novell Netware Derek Wilson (Mar 11)
- Re: Vulnerability in Novell Netware Brad Bendily (Mar 12)
- Re: Vulnerability in Novell Netware David Howe (Mar 12)
- Re: Vulnerability in Novell Netware hhoogend (Mar 12)
- Re: Vulnerability in Novell Netware Thomas M. Payerle (Mar 13)
- Re: Vulnerability in Novell Netware Jacek Lipkowski (Mar 14)
- Re: Vulnerability in Novell Netware Jon Miner (Mar 14)
- Re: Vulnerability in Novell Netware Brad Bendily (Mar 12)
- Re: Vulnerability in Novell Netware - Yeah, it's a user. So what? Kain (Mar 12)
- Re: Vulnerability in Novell Netware Mike Glassman - Admin (Mar 12)
- Re: Vulnerability in Novell Netware Ben Ponting (Mar 12)