***************************************** / \ / \ / Mnemonic Presents \ / Exploiting the NetWare Bindery \ / A KeyRoot Advisory \ / \ / \ ***************************************** ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Exploiting The NetWare Bindery 7/4/99 Mnemonic and KeyRoot Information Security we'll get a webpage to go here xkyller@hotmail.com ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ For those of you who follow my stuff in Keen Veracity, some of the material in this advisory is repeated material from previous releases. This advisory should be accurate for versions of NetWare up to and including NetWare 3.x ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1 - Abstract For a long time, NetWare has been doing very poorly in the security field. Even with the many tools released by various people to bring to light NetWare's weaknesses, Novell continues to ignore the existance of its problems until the details of an attack have been released to the public. As a wannabe admin and a repetitive Pepsi drinker, I think it is necessary for me to release my research on NetWare security. The problem now is that the NetWare bindery is openly accessible to any NetWare user. This means to my password, your password, and that idiot in the office next to you's password. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2 - The NetWare Bindery NetWare's bindery is basically memory sectioned off for use of NetWare proccesses. It's a database where NetWare keeps information about the network resources and users that many function groups use to store and retrieve information. Each file server on a network system has its own bindery, and thus its own group of known objects. The NetWare bindery can best be compared to the Force. It binds the galaxy together. Yeah.. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 3 - Description There are actually two things I want to discuss here. The first is getting the password for someone else's account, and the other is getting the password for the account you're on. They're two seperate things. Now check it out: NetWare represents each shared application, printer, or a logged-in user as an object in the bindery. Each object has identifying characteristics, known as properties. Properties are dependant on objects which have these attributes: OBJECT ID OBJECT NAME OBJECT TYPE OBJECT FLAG OBJECT SECURITY PROPERTIES FLAG These are the properties attributes: OBJECT ID PROPERTY NAME PROPERTY FLAGS PROPERTY SECURITY VALUES FLAG The property name is a character string of up to 16 characters, including the null terminator. Propery names have the same restrictions on the use of characters as object names. The property flags are stored as a one-byte field. They indicate whether the property is static or dynamic, and whether it is an item or a set. Sets are lists of object IDs which are interpreted by NetWare. Item properties are unformatted binary fields stored in 128-byte segments which are interpreted by applications or NetWare APIs. Any user can retrieve the 128-byte segment which represents an object's password, and then convert this binary string into clear text. The user first calls GetObjectData() to get the name of the object. This function uses ScanBinderyObject() to populate a structure of type OBJECT. There are two ways of identifying objects. You can use the OBJECT ID or the OBJECT NAME and OBJECT TYPE. The last element is a dummy with all fields cleared to 0. Here the user calls GetUserAndApplicationData() to retrieve the password. For example: ... GLOBAL int GetUserAndAppInfo(char *argv[], int nMaxArgs, OBJECT *pObject) { strcpy(aop->obj.szObjectName, argv[nMaxArgs - 2])' aop->obj.wObjectType = OT_APPLICATION; strcpy(aop->szPassword, argv[nMaxArgs - 1]); fread(&szPassword, sizeof(int), 1, inpf); printf("\nThe password for that account is ", szPassword, "\n"); } The second thing I want to discuss is the retrieval of the password for the account that you're on. To do this we use functions in the Connection Services. So we can call GetConnectionNumber() to get the number that the file server has assigned to this workstation's connection. Then we call GetConnInfo() to get the name of the user among other information including the password. Take a look: ... void GetMyAccountPassword(char *argv[], int nMaxArgs, OBJECT *pObject) { FS_CONNECTION_INFO *pFSConnInfo; pFSConnInfo = GetConnInfo(GetConnectionNumber()); if (pFSConnInfo == NULL) return -1; /* this is where the user info is now */ *pObject = pFSConnInfo->fsLoggedObject.obj; free9pFSConnInfo); strcpy(aop->obj.szObjectName, argv[nMaxArgs - 2]); aop->obj.wObjectType = OT_APPLICATION; strcpy(aop->szPassword, argv[nMaxArgs -1]); fread(&szPassword, sizeof(int), 1, inpf); printf("\nThe password for the account you're on is ", szPassword, "\n"); } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 4 - Impact Wow. I shouldn't even have to go over this section. If your network is running NetWare and you have private data of any sort on the network, your data is succeptible to the will of the attacker. The severity of this attack is only as big as the system that is affected. A hacker may decide to get the password to the supervisor account if the supervisor is logged in. If that happens, the hacker will have complete control of every computer on the NetWare network. The hacker may decide to change or delete your data, or nothing at all. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 5 - What to do about it There is actually nothing that any of us can do about this right now. We can't deny people access to the NetWare bindery or monitor their queries of it. The best thing to do right now is to switch to something more secure until the problem is fixed in a later version of NetWare. It would be wise to presume that it works on all versions of NetWare. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Legions Interactive http://www.legions.org Keen Veracity http://www.underzine.com RootFest 2K http://www.rootfest.org ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^