COMMAND
NDS
SYSTEMS AFFECTED
Novell Netware 3.x, 4.1, 4.11 (SP5; NFS v5.99))
PROBLEM
Following is based on Nomad Mobile Research Centre Advisory.
Default settings during NDS installation reveal account names and
other information to users who have not logged in. Learning
potential account names is usually the first step before an
intruder attacks a computer system.
CX.EXE and NLIST.EXE both exist by default in the SYS:LOGIN
directory. Upon loading the client software, the client connects
to the preferred server with a NOT-LOGGED-IN connection. The
unauthenticated client has access to CX.EXE and NLIST.EXE. This
access in itself is not the problem, the problem lies in the
default Read access at the root of the tree. These rights are
"inherited" down the tree unless specifically blocked, allowing
read access to most NDS objects in the tree. Most objects in the
tree have at least Read access to the object type and name by
default. The following commands can be issued by a client
connected to a NetWare 4.x or IntranetWare server, revealing most
if not all user account names, in addition to most if not the
entire tree layout.
CX /T /A /R - list all readable user and container
object names in tree, and can give a
rather accurate layout of the containers
and basic contents
NLIST USER /D - list info regarding user names in
current context
NLIST GROUPS /D - list groups and group membership in
current context
NLIST SERVER /D - list server names and OS versions, and
if attached reveal if accounting is
installed or not
NLIST /OT=* /DYN /D - list all readable objects, including
dynamic objects, names of NDS trees, etc
Through a combination attaching to different servers and switching
contexts, a potential intruder could determine the general layout
regarding NDS, potentially even which servers contain certain
replicas of the NDS database. The main information revealed is a
list of potential user accounts for an intruder to use to gain
access to a NetWare server. Once in, even limited accounts can
re-run the above commands revealing even more information than
before. The scenario is further damaging due to the fact that
Intruder Detection is off by default.
SOLUTION
Disable public Read access from the root of your NDS tree. Ensure
all accounts have passwords, and that all assigned passwords are
not easily guessed. Ensure Intruder Detection is turned on at the
root of your NDS tree.
You CAN configure NDS to not allow public browse access to
container contents, but still allow the names of the containers to
be displayed. This would allow a legit user to browse up and down
the tree looking for their context, without revealing valid names.
Using the "Intruder Lockout" functionality will reveal when
someone tries to hack into an account. Anybody can easily get a
copy of CX and NLIST, so removing the Browse right in the NDS
tree is a more effective solution. Removing CX and NLIST is only
going to stop novice hackers who will probably try the brute
force method of attack (guessing passwords) anyway (which
"Intruder Lockout" will handle very effectively).