COMMAND

    Rconsole

SYSTEMS AFFECTED

    Netware 4.x

PROBLEM

    Chris  Brenton  found  following.   As  of  NetWare  4.x,   Novell
    recommends using the Inetcfg  utility for managing networking.  If
    you have "load  remote" in the  autoexec.ncf, Inetcfg will  try to
    grab it and add it to Inetcfg's scripts.  The problem here is that
    Inetcfg saves  the Rconsole  password to  SYS:ETC in  a file named
    Netinfo.cfg.  All users have full read access to this directory so
    anyone with a valid account can view the Rconsole password.  Given
    Simple Nomad's post (previous  netware advisory), even if  you cut
    and paste in order to ensure that the password is encrypted, it is
    still extremely vulnerable.

    Chris also noticed  (with 4.1x anyway)  that if you  enable Telnet
    access to  the server,  remote sessions  are not  logged.  Combine
    this with the above and any user can now whack away at the  server
    console without leaving an audit trail.

    NOTE THAT  THIS HAPPENS  ONLY IF  SYS:ETC IS  READABLE BY EVERYONE
    (which is  not default).   HOWEVER, if  you are  running NFS  name
    space on SYS: and using Novell's FTPSERV.NLM, a passive connection
    "gives" the  rights. This  is an  older bug,  and Novell never did
    state whether it  got fixed.   Removing the rights  does not help.
    You have to NOT use NFS name space or not use FTPSERV.NLM.

SOLUTION

    The patch would be to call  remote from another NCF file which  is
    stored in  the SYS:SYSTEM  directory.   This will  at least  limit
    access to only Admins.  This will also prevent Inetcfg from trying
    to grab it. Of course the real fix would be to not use Rconsole.

    A very simple solution is to buy a switch.  If an administrator is
    careless enough  to rconsole  to their  server from  a shared hub,
    where there might be someone  sniffing them, then expect what  you
    get.  Here is the best way to setup (IPX/SPX) rconsole on  Netware
    4.x.

    At the server prompt:

        SERVER:load remote

        Enter a password for rconsole> <password>
        SERVER:load rspx
        SERVER:remote encrypt

        Enter a password to encrypt
        > <password>

    To use this password use the command:

        Load REMOTE -E ABCDE12345

        Would you like this command written to SYS:SYSTEM\LDREMOTE.NCF (y/n) <y>
        SERVER:load edit ldremote.ncf

    In  the  ldremote.ncf  file,  you  will  see the command line from
    above.  Add the line "LOAD RSPX" underneath the Load REMOTE  line.
    Save the file.

        SERVER:load edit autoexec.ncf

    Remove any previous references to remote.nlm.  Add a line near the
    bottom (wherever is appropriate for you):  "ldremote"  (without
    the quotes of course).  Save the file.

    That's  it.   Just  make  sure  that  in  INETCFG,  under   Manage
    Configuration/Configure  Remote  Access  To  This  Server, "Remote
    Access" is set to Disable.   All of this will keep your  encrypted
    password off the public wire, and warm and cozy in the  SYS:SYSTEM
    directory, where it should be.