Despite being an unorthodox operating system and a cross between the Linux and Windows operating environments, Novell Netware does have some inherent security flaws that make exploiting the operating system is fairly easy, especially with the older Netware 4 and Netware 5.0 Operating Systems. There are very few “script kiddy” type attacks however as outlined in the 4th edition of Hacking Exposed, all that is required is a moderate level of skill and experience with introductory level penetration testing.
Although Novell like any other operating system is responsible to its customers to provide a secure environment, its support life cycle for Netware is fast ending. Indeed with Netware 4 and 5 there are currently no support packs offered and Netware 5.1 is scheduled to be phased out before the end of the year. Having mentioned the support life cycle 80% of all Netware administrators do not update there systems on a regular basis, Novell offers no automatic update and support packs installation is often a tedious and difficult process, for that reason a number of Netware servers are left vulnerable to the types of attacks outlined in this article.
Additionally as mentioned in the Netware risk management article, a number of Netware systems are generational in nature meaning that there deployment schedule is over a great period of time, for instance if a Netware 5 server was deployed in a typical environment it would be between 7 and 10 years before the server was evaluated for a update, and more often then not the Netware server would be migrated to a newer version of Netware or additionally servers be installed to not compromise the existing e-directory.
This article will outline Network Oriented escalation of privileges attacks on Netware 5 & 6 Servers as well as denial of service and social engineering attacks, outlined by the majority of Netware users as being there greatest security problems or concerns.
Introduction
The goal of every privilege escalation attack on any network operating system is to achieve root access to the system; in Linux it’s a matter of cracking the root password to the system, with a Windows NOS adding a user to the administrators group is the best way to escalate your privileges. In Netware the holy grail of escalation of privileges is the security equal to admin property (illustrated bellow)
By having the username shown in this property box the user is effectively has the same rights to the system as admin does, meaning (in this example) the user ian has unfettered access to system resources and can make any changes to the edirectory that is required.
This section of the article will outline how the user belder will achieve admin access to the system. It will outline the steps taken and the methodology outlined in achieving root access to the server.
Please note the user belder is not a member of the admin group and all escalation attacks will be carried out using this user.
Auditing of Passwords
In every Netware system there is a hidden system directory that cannot be accessed via any client computers or the directory listing on the server console, this includes the admin user of the system, this directory (SYS:_NETWARE) can only be accessed by using a set of system NLM files on the Netware server console. This directory contains 4 files that hold all the information on the Netware server:
As mentioned in previous sections any user can access console1 and in most out of the box networks can access the remote control software bundled with Netware. However if console security is properly implemented the user should not be able to access the console.
Once the user has access to the SYS:_NETWARE directory, the above mentioned files must be copied out of the directory, and copied to a Netware workstation, After the files are copied the user then launches the Netware password tool such as IMP or Pandora
This program will audit the files and report the passwords as illustrated in the figure above
Once the user has the password of the admin user all that is required is to login and escalate there privileges through console1
Escalation of Privileges (Netware 6)
Introduction
Although the operating variable files used to attack passwords in the previous section are a critical part of the Netware 6 operating system (and all other versions of Netware) the Pandora vulnerability is widely publicized and Novell developed and introduced a effective workaround in there implementation of Netware 6 and Netware 6.5. To develop the workaround the Novell design team focused on the problem: Users access the console and gain access to the files. There solution was simple: re-write the Novell imanager and RconsoleJ programs to deny everyone but Admin and security equal to admin the rights to the programs.
This solution does an effective job at addressing the vulnerability therefore in order to escalate privilege level on Netware 6; a large amount of hacking is involved.
In order to launch our remote console we must first locate information about the server in question more specifically which version of the NLM files are running on it. However this information is evident on most of the client programs and console1.
The next step in our procedure is to locate vulnerability for Netware 6, or one of the programs that are installed on it, several of the vulnerability’s are available through internet newsgroups and some are bundled with the metasploit framework
Upon Selecting your vulnerabilities target the Novell Server for attack and launch a generic remote shell
Once launched the attacker will have access to the command shell at root access and can copy the files out of the SYS:_NETWARE directory and crack them using Pandora
Another Alternative is to use Pandora Online attack, this program executes a vulnerability in Netware 4,5,6 (not 6.5) and will attack the server and decode the passwords all without ever needing to execute a remote console by the user.
Pandora security research continues to evolve and more attacks for the Netware 6 and 6.5 environments are being developed
Non Users
Like any other network operating system Novell is bound to TCP/IP rules and like the laws of physics, the laws of TCP/IP must be followed regardless of security. And one rule that works in our favor is “everything that TCP/IP needs to connect to has to have a IP address” meaning that even though we are not connected to the server through the client the server can be contacted via a TCP/IP connection, leaving the server vulnerable
To explot this problem we will use another tool from the Pandora toolkit called checknull.exe this program will take a string from a user (the full LDAP username) and check the server to see if the usernames password is NULL then report back to the user.
Above: Checknull scanning the user MFOUST
NLIST
In most versions of Netware there is a product called NLIST, this program is DOS based and it scans contexts for usernames. This program can be used in connection with Checknull or social engineering tactics to execute a unauthorized entry into a Netware server.
ABOVE: NLIST OUTPUT
Introduction
The Novell operating systems like most of the other major network operating systems have a critical problem with Denial of service vulnerabilities. As stated in the sections in this document the Netware operating system will allow any user regardless of authentication to the server, executing a vulnerability on a Netware server is not difficult if the vulnerability deliverable is specifically geared toward Netware servers, or are generic enough in nature to pass as a regular console on the Netware environment.
Because of the heavy reliance on Linux on Netware 6 and 6.5 and the reliance on Netware 3 and Netware 4 in the Netware 5 Platform this section will be divided along those guidelines
Vulnerabilities but Not Catalysts
As Netware 5 is essentially its own breed of operating system there are several operating system vulnerabilities especially with the module components of Netware 5 (NDPS – Novell Distributed Print Services, iManager) the vulnerability database at secunia contains several different vulnerabilities associated with the Netware loadable modules (NLM)
The problem however is the catalyst for vulnerability delivery.
In the following section of a metasploit vulnerability delivery agent
As you can see from the section above the majority of the payloads are for windows /add user and some generic reverse bind and reverse shell. All research indicates that a reverse shell generic payload may succeed in getting into the console of the Netware server from time to time, however the failure rate is well above 50% of the time.
For accurate penetration testing it is recommended that a Netware specific payload for metasploit be developed
Netware Denial of Service
One of the major disadvantages of the Novell imanager system is that it offers a unprecedented level of system administration via a web browser window, if a user initiates a escalation of privilege attack they could have a clear administration window to your server from anywhere in the world, via a web browser.
Also the imanager login does not count on the simultaneous connection restriction that was recommended to be implemented in the security section of this guide. If a user has escalated there privileges to admin level they will have a clear way of disabling the server via imanager, and if they are very thoroughly familiar with Netware they could alter the DOS partition (available through imanager) and remove the server exe file from the autoexec, making the server unbootable, or simply remove the sever exe file altogether.
Screenshot of the Novell Imanager accessing the DOS partition, an attacker could upload a blank autoexec file then down the server rendering it unbootable
Imanager comes standard with several features allowing the imanager “administrator” to restart or down the server.
Introduction
Despite being an updated version of Netware 5, Netware 6 has a number of inherent Linux features that allow its denial of service to take a more Linux approach to penetration testing. However some of the vulnerabilities associated with the previous section will still be functional on the Netware 6 platform however the Linux influence allows hackers a bit more flexibility on the types of vulnerabilities and payloads affecting the Netware 6 system
Vulnerability Association
In this edition of Netware, Novell has seemed to remove the majority of vulnerabilities from the modules and add-ons of the product however there seem to be new vulnerabilities associated with the core modules of the operating system, one of the first CVE vulnerabilities that is associated with Netware is a problem (addressed in the latest Netware 6 service pack) that could cause a null pointer error in the TCP.NLM file. This NLM file as its name suggests is critical to the servers networking and using a program like packet builder an attacker could cause the system to crash.
Apache
One of the most critical updates in Netware 6 is the introduction of the apache web server and the removal of the older Netscape enterprise server (still in use in some versions of Solaris). This interesting development on Novell’s part leaves a fair amount of vulnerabilities into the OS as the apache web server has always been a critical vulnerability point for the Linux OS
All research has indicated that the Netware 6 platform is vulnerable to the same type of apache vulnerabilities that any other distribution of apache is, however as discussed at length the problem is the payload, there is a higher percentage of success when trying Linux command shell payloads with Netware, however the success rate is still not sufficient to mount a effective conclusive attack on a Netware 6 server.
Introduction
Information Gathering and espionage on servers is always a first step in penetration testing, and the developers of Novell make it extremely difficult from the server console to get any kind of information off the server, however there are a number of simple tools bundled with Netware to make extracting information from the server via the client very easy, this section of the article will outline the subtle differences in the console while taking a look at the in-depth tools that will allow the user to extract information from the console.
Server Console Variants
The main difference between each of the server consoles (if one were to look at them in passing) is the appearance of the GUI, the server at first glance appears to have a java look to the GUI, giving the illusion of a older Solaris variant, this is true mainly because the Novell GUI is java based and a major component of Netware is java, however don’t let the look of the OS fool you, the look and feel may be similar to Solaris however at the core it is a very different system.
If there is no GUI present and the system has been in place for several years it is safe to assume that the OS is Netware 4 or bellow, this is largely due to the difficulty of disabling the GUI on start, however most competent security administrators will exit the GUI when they get the server setup correctly to prevent “pass by reconnaissance” of the system. The reason that I suggest Netware 4 if a GUI is not present is simple; the GUI was not a major component of the OS until the introduction of Netware 5
Remote Netware Console: Netware 4
Things get slightly more complicated with the introduction of Netware 5 and 6’s GUI’s mainly due to the fact that they are mostly identical in nature. The most subtle difference however is the sharpness of the icons and the background picture. Because of the GUI’s simple design and the designers put very little development time into it, the features for changing the background are not exactly evident. Therefore most of the administrators (as I did thought this project) didn’t bother changing the default background
The two pictures above illustrate the differences in GUI configuration in the Two OS variants, the top being Netware 6 (significantly sharper image as well as a more visual background) while the bottom being the Netware 5 GUI
Console
If a Netware server is observed from the console and not the GUI it is quite easy to mistake the server for a Linux environment as the consoles look remarkably the same, both start with a simple prompt and use different colored text to illustrate different system components. However there are differences. The most major being the Linux console will display the machine hostname and the path (as illustrated bellow) for example local host root # whereas the Netware console will only display the server hostname (bottom picture) and no directory location due largely to the fact that the console of the Netware workstation was never indented for directory browsing.
Gathering Information from a Workstation
The first of several tools is oddly enough the Novell client itself, unlike windows which will only tell you a domain name; the Netware client allows the user to view the server name, the tree name and the context. And if the user clicks on the context tree and server buttons allows the user to browse through the directory looking for objects to connect to, this allows the user an idea at how the directory is broken down and the server hostnames without the need to login
Client with Details
Tree
Contexts
Servers
Also the Novell connections menu item (located under the red “N” icon in the system taskbar) will allow the user to view connection information and the servers they are currently connected to. In a large environment the user could potentially gather critical information about a number of servers on the Netware network
By clicking the Novell connections item in my network places, the user can browse the tree gaining information about contexts and the servers associated in them. All volumes are displayed unless the user doesn’t have access to the specific volume
In the above section of a typical Netware context, we can see organization units, printer Queue’s Server Names and volumes
By right clicking on a server object and clicking properties the user can view an incredible amount of information, including a LDAP server name, Licensing Information, Reversion of the OS (Indicating service pack) OS Version and server name and IP/IPX information
The next tool that is very useful in gathering information on Netware systems from a client point of view is NWADMIN32. This tool included in Netware 4,5,6, 6.5 and the newest edition open enterprise server was originally intended as a administration tool for adding users, groups, assigning permissions and other simple tasks like that. Even though this program was replaced by Console1 in Netware 6, it is still included in the public access directory of all Netware servers and mapped to a user desktop by default.
This program gives the user detailed information on the directory structure and the usernames of all the users in a specific context or tree (depending on assigned access rights) this is a perfect starting point for social engineering attacks, mainly due to the fact that user information (department, first name, last name phone number) are accessible to virtually every user on the system
It is however worth noting that the more complicated the e-directory (especially when the newer features of Netware 6.5 like iprint and net storage are added) the more likely that NWADMIN will crash. This is also dependent on network utilization.
Sections of the above document were used from the following websites:
http://www.nmrc.org/project/pandora/index.html
http://www.nmrc.org/project/pandora/inside.txt
http://support.novell.com/techcenter/articles/ana20000603.html
Windows |
Linux
|
