IRM Security Advisory 002: Netware Web Server Source Disclosure

From: IRM Security Advisories (advisoriesat_private)
Date: Wed Dec 19 2001 - 03:44:25 PST

  • Next message: IT Resource Center : "HP Secure OS Software for Linux security bulletins digest" 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
IRM Security Advisory No. 002

Netware Web Server 5.1 Sample Page Source Disclosure

Vulnerablity Type / Importance: Information Leakage / High

Problem discovered: November 18th 2001
Vendor contacted: November 20th 2001, November 29th 2001
Advisory published: December 11th 2001
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Abstract:
~~~~~~~~~

Novell's Netware 5.1 is shipped with a Web Server that is installed by
default and contains various sample web pages. There is a "viewcode"
application that is run through a Netware Loadable Module (NLM), which
allows the source code of a default web page to be viewed. However, the
NLM has the sample page name passed to it through a URL containing the
path to the file. It is possible to alter the URL to permit the contents 
of any file on the system to be viewed even those situated outside the 
web root. Using this method it is possible to view important 
configuration files including the autoexec.ncf file which contains the
remote console password.

Description:
~~~~~~~~~~~~

Netware is an Operating System developed by Novell
(http://www.novell.com) and is used by many organisations for user file
and print sharing. Version 5.1 of the Netware Operating system comes
with a web server that will be installed by default.
Included on the web server are a wide variety of sample pages that
demonstrate the flexibility and features of the product. However, one
sample page uses a Netware Loadable Module (NLM) called sewse.nlm to
call a script called viewcode.jse. The viewcode.jse file is designed to
be used to display the source code of sample files called httplist.htm
and httplist.jse. These file names are passed as parameters to the NLM
through a URL such as (URL may wrap):

http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist/httplist.htm+httplist/httplist.jse

The application checks the files being requested by requiring that the
httplist directory is specified in the path to the files to be viewed.
However, it is possible to traverse directories using /../ after
httplist. The sewse.nlm module runs with sufficient permissions whereby
it possible to traverse to any file on the file system and view the
contents.
There are many files that may be of interest to an attacker and these
include:

SYS:\ETC\NETINFO.CFG 		- Can contain a copy of the rconsole 
				  password
SYS:\SYSTEM\AUTOEXEC.NCF 	- Contains the rconsole password
SYS:\ETC\FTPAUDIT.LOG 		- Contains valid usernames for password 
				  guessing attempts

An attacker could use the information gained to lauch further attacks or
to gain console access using the rconsole password.
An example of the URL used to view the autoexec.ncf is (URL may wrap):

http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist+httplist/../../../../../system/autoexec.ncf

There are Novell best practices which include encrypting the rconsole
password in the autoexec.ncf file. However, there are tools available
which can be used to break this encryption. Another Novell
recommendation is to use a Console Screensaver which requires the admin
password to be entered after a rconsole connection has been made.
This issue is similar to the problem discovered with the convert.bas
script that shipped with Netware Web Server version 2.0. This previous
issue is recorded as Bugtraq ID 2025 and CVE-1999-0175.

Tested Versions:
~~~~~~ ~~~~~~~~~
Netware Web Server 5.1 

Tested Operating Systems:
~~~~~~ ~~~~~~~~~ ~~~~~~~~
Netware Operating System version 5.1

Vendor & Patch Information:
~~~~~~ ~ ~~~~~ ~~~~~~~~~~~~
The vendor of this product, Novell, was contacted via email using the 
address listed as their 'community relations' on 20th November 2001. 
When no reply was received to this email after nine days, another
email was sent on 29th November 2001 to the same address, and copied 
to 'secureat_private'. No reply from either address had been received 
as of December 11th 2001, and therefore the vulnerability 
is being released to Bugtraq.
  

Workarounds:
~~~~~~~~~~~~
A workaround involves removing all sample web pages and sample NLMs.


Credits:
~~~~~~~~
Research & Advisory: Martyn Ruks (martyn.ruksat_private)

Thanks: 	B-r00t (br00tat_private)
	 	Macavity (macavityat_private)
		morphsta (morphat_private)
		Blunt (bluntat_private)
		Ant (antat_private)
		Shlug (shlugat_private)
		indig0 (indig0at_private)



Disclaimer:
~~~~~~~~~~~
All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.

A copy of this advisory may be found at
http://www.irmplc.com/advisories

The PGP key used to sign IRM advisories can be obtained from the above
URL, or from keyserver.net and its mirrors.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Information Risk Management Plc. 
http://www.irmplc.com, infoat_private
22 Buckingham Gate 
London 
SW1E 6LB
+44 (0)207 808 6420





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjwZ3NsACgkQDxTYNSJMcgWGFQCeNAPUrnfFwNOSoTEjsBheukVV
6TkAnjH0bWqkNTA1AMJ21AcepQ1TVzwS
=QCO+
-----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Wed Dec 19 2001 - 12:14:26 PST