The following security exposure may or may not exist for any shop running NDS for NT. We contacted Novell last August with this exposure. They failed to respond. We later contacted Simple Nomad and he did a good job bringing the vulnerability to Novell's attention. Novell indicates that this is really a "admin snafu" on our part. Since the Novell manuals do not warn you against doing this I thought it best to submit this to BUGTRAQ so that other NDS/NT shops can avoid making the same error ( if indeed it is an error !). Platform : Novell NetWare 5.x (NDS tree) - NT domain machines are NT 4.0 SP6a Application : NDS for NT. The NT SAM is effectively replaced by routing all NT Domain calls to NDS via TCP port 427 (and maybe other udp ports) The Novell 32bit client on the desktop is 4.80 and it replaces the NT GINA. Summary: Given a valid Novell NDS account of any security level it may be possible to gain access to any NT domain machine (except the PDC/BDC) as "Domain Admin" by using another NDS account (that must be configured as below) and supplying no password. The NDS_ADM account that will be exploited: Any NDS account in the NDS tree that has been checked as having "domain admin" rights over the NT domain can be used - without supplying a password. This account must not - repeat- not exist in the NT domain. If the account does exist in the NT domain this will not work. We verified that our particular account had a 14 character (complex password) in the NDS tree - yet the exploit allows a "null" password to be used. Requirements and verification of the exploit: You will use 2 seperate acounts: a low level user account and a supposedly misconfigured "admin" account (shown as NDS_ADM) - configured as above. 1. Use an NT machine that is a member of the NT domain that the NDS tree manages 2. Verify that your NDS_ADM account - has "domain admin rights" over the NT domain. This is the key portion of the vulnerability. 3. Verify that your NDS_ADM account does not exist in the NT domain (i.e.: you cannot display it with any NT tool (net user, user manager etc..)) - the account can only be seen wtih NetWare tools 4. Ensure that you are have logged into the NDS domain as an ordinary user with your low level account 5. Verify that you do not have current access (as domain admin) to the target NT domain machine you are about to authenticate to as 'domain admin" One test is to try to access the default shares like C$, D$ etc.. If the above is verified then you can try to exploit the vulnerability by doing: from a DOS prompt: (text may be wrapped) c:>net use \\target-IP\ipc$ /user:NDS_ADM * Type the password for \\target-IP\ipc$: The command completed successfully. (the * prompts you for a password) (simply hit enter when you get the: Type the..message) (Do not qualify the NDS_ADM name with the name of the NT DOMAIN.) (The target-IP is any NT machine joined to the domain - but cannot be the PDC/BDC) If the above completes successfully - you can now verify that you have "domain admin" rights on the target-IP machine. Try accessing a default share like C$ The fix is to remove the check box for "admin rights on the NT Domain" from the NDS account NDS_ADM. Novell indicates that this is our "error" - yet I cannot find a reference to this behavior - anywhere. I wonder if other shops have this exposure. Anyway, the intent is to warn other NDS/NT shops that this can happen to them. YMMV __________________________________________________ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com
This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 15:26:27 PST