[Full-Disclosure] RE: NetWare Screensaver Authentication Bypass From The Local Console

From: Adam Gray (agray_at_novacoast.com)
Date: 12/15/04

  • Next message: Bryan Pinkerton: "[Full-Disclosure] Re: Full-Disclosure Digest, Vol 1, Issue 2105"
    To: Geoff Vass <geoff@cadzow.com.au>, Brad Bendily <brad@selu.edu>, full-disclosure@lists.netsys.com
    Date: Tue, 14 Dec 2004 15:14:40 -0800
    
    
    
    

    If the screen saver was intended to be bypassed and not to be a security
    enhancement they would not have allowed or coded the password feature. I
    can only assume that given the password feature was built and coded they
    intended it to provide some amount of physical security. Everyone knows
    that physical security is easy to bypass. It just is not supposed to be
    this easy. If they did not think it was a flaw they would have told me
    so.

    We too have known about this issue for years. It was in talking to the
    product manager that I was encouraged to report it. He thought it should
    be something that gets fixed. It is after all a voluntary patch. If you
    do not think it is a vulnerability don't apply the patch. There are some
    other nice enhancements in the ICSA Compliance kit that may be worth
    looking into.

    Adam Gray

    On Wed, 2004-12-15 at 09:02 +1030, Geoff Vass wrote:
    > Unpublished Immutable Laws of Security
    >
    > Number 16: "No matter what the security fault, how exploitable it is or what the workarounds are, there will ALWAYS be someone somewhere who will argue strenuously that it's not a fault, doesn't need fixing and couldn't be exploited, and furthermore they will seem to be taking it personally."
    >
    > Number 16(a): "Usually this will be Microsoft."
    >
    > Example:
    >
    > "In order for a hacker to exploit this, they would need to (and you're not going to believe this): (1) Convince someone to click a link in an email message, AND (unbelievable) (2) view a web page with their web browser. See, we told you how incredibly stupid this so-called exploit is."
    >
    > We all know physical security is important, but there's a huge difference between walking up to a machine and gaining access with a few keystrokes and ripping the hard disk out and examining in a lab offsite. The former is very easy and the latter is very hard. It should NOT be possible to compromise a machine by hacking the screensaver.
    >
    > Geoff Vass
    > Cheers
    >
    > -----Original Message-----
    > From: Brad Bendily [mailto:brad@selu.edu]
    > Sent: Wednesday, 15 December 2004 03:31
    > To: Adam Gray
    > Cc: full-disclosure@lists.netsys.com; bugtraq@securityfocus.com;
    > vulnwatch@vulnwatch.org
    > Subject: Re: NetWare Screensaver Authentication Bypass From The Local
    > Console
    >
    >
    >
    > As we all know security comes in layers. The only way this exploit will
    > work is if someone is standing at the server's console. In this way
    > all servers are subject to vulnerability and I have discovered this
    > method of hacking servers. Ok, not really. But I can tell you that if I
    > have access to the server console then I can get access to the box.
    >
    > This vulnerability is not new, I had to legitimately hack the password
    > for a couple of my NetWare servers and I did it 3-4 years ago using
    > this same hack. Preferrably I would rather Novell NOT fix this. It's
    > a great "just in case" tool.
    >
    > I think this is a waste of bandwidth.
    >
    > Brad B.
    >
    > On Sun, 12 Dec 2004, Adam Gray wrote:
    >
    > > Novacoast Security Advisory
    > > Novell Netware 5/5.1/6.0/6.5 Vulnerability
    > >
    > >
    > > Synopsis:
    > > Novacoast has discovered a vulnerability in the Novell NetWare Operating
    > > System screen saver software. The vulnerability allows a local attacker
    > > to bypass authentication and access the system console.
    > >
    > >
    > > Description:
    > > The Novell Operating System uses the screen saver nlm with lock enabled
    > > to protect access to the console. When the screen saver is locked only a
    > > user in the e-directory tree with supervisor rights to the server object
    > > has the ability to unlock it. It is possible to bypass this
    > > authentication scheme by entering the debugger within NetWare while the
    > > screensaver is running, kill the screensaver process, and resume the
    > > operating system without the screen saver or the access control still
    > > running.
    > >
    > > Affected Version:
    > > Novell NetWare 5.1
    > > Novell Netware 6
    > > Novell NetWare 6.5
    > >
    > > Exploit:
    > > with the screensaver nlm running and in enable lock mode press alt shift
    > > shift esc. Find the screen saver process in memory. Kill it using the
    > > debugger. If you are not sure how to use the NetWare debugger then just
    > > kill the server with the q key and restart it without the autoexec.ncf
    > > running (server -na) edit the autoexec.ncf to keep the screensaver from
    > > running in the future and restart the server normally. The screen saver
    > > will not start again.
    > >
    > > Recommended Solution:
    > > Install the Bordermanager ICSA Compliance kit
    > > They put the screensaver fix into that patch
    > >
    > >
    > > Status:
    > > This bug has been submitted to, acknowledged by, and a fix has been
    > > created and included with the Bordermanager ICSA Compliance toolkit.
    > >
    > > Additional information can be found at the following location:
    > > http://support.novell.com/cgi-bin/search/searchtid.cgi?/2969741.htm
    > >
    > >
    > > Disclaimer:
    > > Novacoast accepts no liability or responsibility for the
    > > content of this report, or for the consequences of any
    > > actions taken on the basis of the information provided
    > > within. Dissemination of this information is granted
    > > provided it is presented in its entirety. Modifications
    > > may not be made without the explicit permission of
    > > Novacoast.
    > >
    > >
    > > Adam Gray
    > > CTO
    > > Novacoast, Inc.
    > > agray_at_novacoast.com
    > > http://www.novacoast.com
    > >
    > >
    >

    
    

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html



  • Next message: Bryan Pinkerton: "[Full-Disclosure] Re: Full-Disclosure Digest, Vol 1, Issue 2105"

    Relevant Pages

    • RE: [Full-Disclosure] Networking security problem?
      ... and Windows XP security is like comparing chalk with cheese! ... And the screen saver password is only to lock out the screen and keyboard - ... seems OK, but OS and network ... The particular NIC was in a payroll machine with obviously very ...
      (Full-Disclosure)
    • RE: Screen Saver Lock Event ID
      ... the screen saver event in Security log by the following steps: ... If the user manually locks their computer, ... for either when the screen saver locks itself or if a ...
      (microsoft.public.windowsxp.configuration_manage)
    • Re: Best Practice for Screen Savers
      ... Don't take personal offense to this, perhaps your security requirements ... without enforcing it. ... I think suggesting to user that "best practice" is XYZ. ... >>set my companies screen saver password timeout to. ...
      (Security-Basics)
    • Keeping the screen saver away
      ... I was wondering what windows message I can send to ... the Windows CE OS so that a security application or screen saver would ... consider an Bluetooth or serial connection as having the PDA ...
      (microsoft.public.windowsce.embedded.vc)
    • Re: Automated logoff using Winexit.scr
      ... If a non-administrative user attemps to use the WinExit screen saver, ... You can use RegDACL to set these permissions in batch. ... are not servers in our domain. ... I have tried creating a group policy ...
      (microsoft.public.windows.group_policy)