COMMAND

    Novell Netware

SYSTEMS AFFECTED

    Novell Netware 3.1-5.1

PROBLEM

    The information  in this  advisory was  supplied by  Chris Hughes.
    Novell  Netware  allows  a  user  to  log into a Novell Network by
    using a Printer Server as the username.  By default, Novell  Print
    Servers have blank passwords.   In addition, Novell Print  Servers
    do not have intruder detection capability as a user account would,
    so they  are vulnerable  to a  brute force  attack without risk of
    account lockout.  When  a Print Server is  logged into as a  User,
    the  account  will  have  the  same  rights as are assigned to the
    container that it resides in.

    This only happens with  Public Access non-NDPS printers  (quebased
    printing systems and not on NDPS printing systems).

    The  main  reason  for  gaining  access  to the server this way is
    because the  printer objects  have access  to an  API call  called
    ChangeToClientRights.  The exploit is supposed to go:

        1. Login as printer.
        2. Wait for supe/admin person to print something.
        3. Execute ChangeToClientRights.
        4. Do bad things.

    Supposedly  several  people  have  had  the  code to do this for a
    while.   It is  one of  those 0-day  things Netware hackers trade.
    Anyway, there is some code at

        http://www.nmrc.org/files/netware/netware.zip

    that is supposed to do a lot of this stuff.

SOLUTION

    Print servers  created via  HP's JetAdmin  utility do  not have  a
    blank password by default.  Not sure what the default password  is
    (and have little  doubt that it  can be "guessed"  with some basic
    knowledge of the printer in question).

    Obvious first step is to apply station restrictions and limit what
    a print server can see to just the print queues - it doesn't  need
    much if anything else,  so why leave the  door open?  Many  system
    objects (such as print servers)  exist in the same context  as the
    print queues they serve, which in turn are in the same context  as
    the users - and many admins assign file access rights globally  to
    the container (which then cascade down to the print server object)
    rather than groups.

    As many people have pointed out before, this isn't a bug.  It's  a
    possibility  for  a  vulnerability,  but  it  is by design.  It is
    mentioned in every Novell manual and  is well known.  It's a  fact
    of life, Printers need to log in to get to the queue  directories.
    Just don't assign rights to the container that queues are in.