COMMAND
Perl.nlm
SYSTEMS AFFECTED
Novell Netware 4.1, Intranetware
PROBLEM
The PERL language interpreter is always installed and activated
when the Novell Web Server is installed. This NLM is accessible
via TCP/IP. The PERL.NLM can be exploited to execute arbitrary
Perl programs residing anywhere on the netware fileserver. These
programs run with kernel privileges, thus circumventing any
access restrictions to files and directories.
The vulnerability can be used to gain access, read, modify or
delete any file on the system. A security hole in a demo program
in the Novell Webserver distribution (that is via default
installed) can be used to create such a perl script without
having (IPX) write access to the server, e.g. from within the
InterNet.
Novell incorporated the PERL language interpreter in their Web
Server product. A special version of PERL was developled that
allows a PERL daemon to get requests for execution of programs
via the RCGI interface. The perl interpreter is accessible via a
TCP port (default: 8002).
The PERL.NLM can be exploited to execute any perl script residing
on the fileserver (e.g. within the user directories). The perl
scripts themserves can contain arbitrary code, so for example
additional networking code to install own (e.g. proxy) services
that can be used to gain further access to the network. Confirmed
vulnerable are the PERL.NLM versions delivered with the Novell
Webserver 2.5x and the 45day trial version (PERL.NLM version
4.60t). Credit goes to Alex Dunkel and this text is based on his
advisory.
SOLUTION
Patches provided by Novell should be applied when available. As
interim solution, you should:
a) unload the PERL.NLM using the command
UNLOAD PERL
According to Novell, no patch will be released, the new upcoming
web server software (3.0, currently in beta) should be used
instead when available.
Updates to this information can be found via WWW:
http://www.Dunkel.de/security/dsi/dsi-9702/