Re: Vulnerability in Novell Netware

[Simple Nomad <thegnome () NMRC ORG>]

I think the main issue regarding the Novell print queue thing does involve
logging in via APIs and not using the client software. By specifying your
object type as that of a printer (something the client code does not
support) you can log in as the printer. And yes you can brute force the
password since Intrusion Detection does not apply here.

The main reason for gaining access to the server this way is because the
printer objects have access to an API call called ChangeToClientRights.
The sploit is supposed to go:

1. Login as printer.
2. Wait for supe/admin person to print something.
3. Execute ChangeToClientRights.
4. Do bad things.

Supposedly several people have had the code to do this for a while. It is
one of those 0-day things Netware hackers trade ;-) Anyway, there is some
code at http://www.nmrc.org/files/netware/netware.zip that is supposed to
do a lot of this stuff. I couldn't get it to work on 5.x SP2, and can't
really vouch for it, but everyone is free to try it out. It is also
somewhere on Packetstorm as well.

-         Simple Nomad          -     "No rest for the Wicca'd"     -
-      thegnome () nmrc org        -                                   -
-  thegnome () razor bindview com  - www.nmrc.org   razor.bindview.com -