Re: Buffer overflows on Netware 4x and 5x

[Roland () ERCA NL (Roland Kool)]

Thanks all for replying. From responses I have noticed that my query was not
well defined. I was not looking for hacks for Netware, but I was wondering if
buffer overflow attacks would work on Netware to gain a remote shell (much 
like in NT and Unix).
Nomad's website is excellent and I was already aware of known insecurities 
in Netware. But most of the attacks rely on being able to sniff on the network
to gain access to password hashes and so on.
But when I hook up my server to the internet, how save is it? Is it possible on 
Netware to attack it with bufferoverflow to gain access to the console? Or is
the only way to "hack" it by means of DoS attacks (without gaining any privi-
ledges).
The fact that netware is not widely used, doesn't mean it is save, although I 
think (looking at some responses) it is more secure than current Unix or NT
based solutions. But that's IMHO. Anyone may try to convince me otherwise.

Thanks

Roland

> > > "Michael D. Russo" <Michael.Russo2 () storagenetworks com> 03/01/00 04:13PM >>>
FYI: The quickest way to come up to speed on Netware Vulnerabilities is to
go to www.axent.com and review their vulnerabilities lists (whitepapers,
etc.) that their NetRecon product Scans for... in a mixed NT, Unix, NetWare
shop, NetRecon is very useful since it scans for TCPIP, NetBios and IPX/SPX
protocol vulnerabilities, since NetWare can be bound with both tcpip and
IPX/SPX a sly way to penetrate a tcpip network is to hack ipx/spx well known
exploits on a dual stacked NetWare box.  There are quite a few well known
ipx/spx hacks that will indeed get you NetWare Supervisor (3.x) or NDS Admin
privileges.  Considering that Novell is attempting to position NetWare 5.x
as a web server ie: with TCPIP as a "native" protocol, if someone hacks the
box thru ipx/spx, they are then off to the races... the only saving grace is
that most hacker tools, sniffers, stealth spying tools (NMAP) and DDoS
attack suites are developed and ported primarily on Unix and NT systems and
not NetWare.

hth

Michael D. Russo
Information Security Project Manager
Strategy & Engineering Department 
Information Security Group
Storage Networks, Inc.
100 Fifth Avenue, Third Floor
Waltham, Massachusetts USA 02451
URL: http://www.storagenetworks.com/ 
EMAIL: mdrusso () storagenetworks com 

-----Original Message-----
From: Roland Kool [mailto:Roland () ERCA NL] 
Sent: Monday, February 28, 2000 6:10 AM
To: VULN-DEV () SECURITYFOCUS COM 
Subject: Buffer overflows on Netware 4x and 5x

Hi,

This is my first post to the list and I hope it's on topic.
I work on a college and am currently writing a security paper for our site. 
Our environment primarily consists of Netware server, versions 4.x and 5.x.
I am not a hacker, just a security conscious network administrator who likes
to keep his Netware boxes secure.

So my question is this: are there any know buffer overflow
exploits/possibilities
on Netware boxes? Netware is capable of running more than just file and
print
services. In our environment we run almost everything on them.
Is the Netware architecture vulnerable to buffer overflow attacks? Just like
in
NT and Unix there is a console that can be compromised. Netware also
supports
the XCONSOLE.NLM (telnet daemon) which makes itself a potential hacking 
target.
Does anyone know if any such exploits exist on Netware? I have never seen
them
but that doesn't mean they aren't there. Is it possible?

Thanks

Roland