HostedDB - Dedicated UNIX Servers

-->
Netware Hack FAQ v6


Section 12

Section 12

IntranetWare and the Internet

12-1. Is Netware's Web server secure?
12-2. What's the story with Netware's FTP NLM?
12-3. Can an IntranetWare server be compromised from the Internet?
12-4. Can I grab password files like in Windows NT or Unix?

12-1. Is Netware's Web server secure?

Novell's Web Server had a HUGE bug. The CGI scripts are Basic programs (yes you are about to hack a server using Basic!) and several are included with the server. One in particular, CONVERT.BAS, takes a file and converts it to HTML and then sends it to the user. Here's an example for www.target.com:

    http://www.target.com/scripts/convert.bas?readme.txt

The README.TXT file is returned as HTML. Now here's the bug:

    http://www.target.com/scripts/convert.bas?../../any_file_on_sys_volume

Nasty, huh? I recommend "../../system/autoexec.ncf", or "../../etc/ldremote.ncf". It can also be useful for other things (see 06-2 for an example). This has been fixed in the latest version of Novell's IntranetWare.


12-2. What's the story with Netware's FTP NLM?

With IntranetWare, the FTP NLM has a couple of problems. The standard installation gives Read and File Scan access to SYS:ETC so anonymous users can access files in that directory. This is a problem if you use INETCFG to configure RCONSOLE and then don't go back and encrypt the password in the file. The SNMP community password is in this directory, to say nothing about protocols, addresses, and other configuration information.

The wily Admin can turn off the rights, but guess what? Doing this breaks the logging feature.

The other major problem on Netware 4.1 with FTPSERV.NLM is that some users logging in via FTP are granted excessive rights. Stopping and starting the NLM seems to put the rights back the way they are supposed to, but then they seem to come back to FULL rights. Using Fetch as an FTP client tends to make this happen all of the time.

While it does seem possible that going in and checking effective rights, checking bindery rights via SYSCON, and checking UNICON might turn up something, it seems that installed out of the box 4.1 is vulnerable. I am unsure if 4.11 is affected, but my guess is yes. The problem? If NFS file space isn't used, certain clients like Fetch and Cute FTP will end up with Supe rights to the volume.


12-3. Can an IntranetWare server be compromised from the Internet?

This is a tricky question, however it is POSSIBLE. I've been working on the right set of conditions in the lab, and I have got it to happen. However it involves a LOT of conditions. But these conditions are not entirely out of the question.

First, variations on the problems outlined in section 12-1 and 12-2 could be used to gain initial access. For example, if a poorly constructed CGI script was put in place that allowed write access to the server and could be redirected, additions could be added to NCF files.

For example, imagine that a CGI script is in place to add a line of text to a file, such as a mailing list. If this CGI script could be redirected, adding a few lines to SYS:ETC\LDREMOTE.NCF or SYS:SYSTEM\AUTOEXEC.NCF could give you complete access. Such lines might include:

        UNLOAD REMOTE
        LOAD REMOTE HACKPASSWORD
        LOAD XCONSOLE

Now simply telnetting to the server, using "hackpassword", and choosing VT-100 will give you remote console access after the next reboot.

Can't telnet past that NLM-based firewall? Add the commands to the NCF file to simply unload it! You can reload it after you've gained access, if you desire.

Access via Novell's FTP NLM is another problem. If you can gain access to the server via FTP and get read/write access to the SYS: volume, you can alter NCF files and open up all kinds of access.


12-4. Can I grab password files like in Windows NT or Unix?

Shockingly, it is possible. If you have gained access via techniques outlined in the previous sections, you can grab the password file. Novell has stated publicly it cannot happen, yet I have done it in the lab.

First off, the NDS files are located in the SYS:_NETWARE directory. You would of course have to gain access to these files. And there are a couple of ways to do this. You can use the techniques described in Section 06-15, which will allow all kinds of things. But let's say the administrator of the server has removed NETBASIC, and you can't upload a file like JCMD.NLM. You are not entirely sunk.

As stated elsewhere in this FAQ, running a BINDFIX on Netware 3.x made a copy of the bindery files in SYS:SYSTEM. To get that 4.11 backup file, you need to run the equivalent utility from the console. And it is very simple.

 - If possible, wait until no one is logged in, as it will be noticable.
During this process no one can log in, although users already logged in
should be okay.
 - UNLOAD CONLOG (duh)
 - LOAD DSMAINT
 - Choose the option to prepare for an upgrade.
 - This process creates a complete backup of NDS and the login scripts,
and puts it in SYS:SYSTEM. The file is called BACKUP.DS. Use the problem
with FTP.NLM to get it, or simply load up FTP.NLM if it isn't running.

[ Return to TOC | Return to FAQ Page ]