[NEWS] Remote Novell Netware Manager Security Issue

From: support@securiteam.com
Date: 11/14/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 14 Nov 2002 16:30:27 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  Remote Novell Netware Manager Security Issue
------------------------------------------------------------------------

SUMMARY

Due to inappropriate permissions users are able to log into
expired-password accounts from the Remote Manager.

DETAILS

Vulnerable systems:
 * Netware 5.1 eDir version 85.x

See detailed instructions in the referenced Technical Information Document
(TID) <http://support.novell.com/servlet/tidfinder/2963827>
http://support.novell.com/servlet/tidfinder/2963827.

eDirectory update for NetWare 5.1 servers running with the eDirectory 85.x
database.

Your server must already be running eDirectory 85.x in order to use this
update.

Files changed since the last public release:
 * DS.NLM (v 85.30)
 * DSREPAIR.NLM (v 85.20)
 * NLDAP.NLM (v 85.24)

Do not install on a NetWare 4.x or 6.x server.
Do not install on a NDS 6.x, 7.x, 8.x, 86.x or 87.x servers

Installation Instructions:
Novell recommends applying NetWare 5.1 SP5 or higher before applying this
patch.

This patch MAY work on earlier NetWare 5.1 support pack releases, however,
as stated above no testing has been performed on these. The earliest
support pack supported in conjunction with this patch is SP4.

Please note: You must have previously installed or upgraded to the full
install of eDirectory 8.5.1 (International Version) - DS.NLM 85.12a found
in the product file EDIR851.EXE. This patch should not be applied to the
first shipping version, 85.01r. This patch MAY work on other support pack
releases, however, be aware that Novell did not test this patch with past
releases.

This repair will add languageid schema extensions to your server. To
prevent any 603 errors it is recommended that this repair be first run on
a Read-Write or Master of root.

Do not try to apply on NDS 6.x, 7.x, 8.x, 86.x, 87.x or NetWare 4.x/6.x
servers.

APPLY THE LATEST SUPPORT PACK FOR YOUR VERSION OF 5.X NETWARE SERVER -
UPGRADE TO NDS 85.x USING THE FULL INTERNATIONAL VERSION THEN APPLY
THIS PATCH.

******** NOTE ********
THERE IS NO DOWNGRADE PATH FROM THIS VERSION!!! (Prior to eDirectory
85.12d)

******** NOTE ********
As with all patches, take standard precautionary disaster recovery steps.
This includes loading DSREPAIR -RC which will create a file called
SYS:\SYSTEM\DSR_DIB\00000000.$DU. This file contains a backup of the
Directory Services database. Copy this file off to a different location so
that it is not overwritten by a subsequent "dsrepair -rc".

1. Copy the patch (FDS8530.EXE) to a directory on the server being
patched. (ie SYS:\PATCHES)

2. From a workstation, run the executable.

3. Install the minimum recommended support pack, NW 5.1 SP5, if it is not
yet installed. NW 5.1 SP5 is the recommended and tested support pack for
the NetWare 5.1 platform. Also apply the full install of eDirectory 8.5.1
(85.12a) edir851.exe available from <http://support.novell.com>
http://support.novell.com if at version 85.01r (Original shipping
version). (Please note that at the time of this TID eDirectory 85.x has
been discontinued. This patch is only for those customers already running
85.x on their servers and wish to have the latest code).

4. Run NWCONFIG.NLM from the server console prompt.

5. Go to Product Options

6. Go to install a product not listed

7. Hit F3 to specify a different path

8. Specify the path were the patch was extracted (i.e. SYS:\PATCHES).
NOTE: You are looking for the directory where the DS8.IPS file is located.

9. Press ENTER and follow the prompts. During the installation, the
server's schema will be extended.

(Refer to the Issue section for more information.)

10. After the installation, you must RESET the server in order for the new
version of DSLOADER.NLM to load. Either completely down (using the DOWN
command) the server and bring it back up or at the console prompt type
RESET SERVER and allow the server to reboot.

11. You should then observe that DS v85.30 loads on the server.

** NOTE 1 ** A backup of the original files will be located at
SYS:SYSTEM\OLDDS for disaster recovery.

** NOTE 2 ** To restore the original static memory settings (not
recommended, performance degradation my occur), the file
SYS:SYSTEM\OLDDS\_NDSDB.INI can be edited from any text editor. Take note
of the information in the file. These are your old settings. Re-apply the
settings by executing a "set dstrace=!m[values]" (see DS documentation on
specific context)

Issue:
Changes made in DS.NLM v85.30:
(Supersedes 85.29)
 - Potential security issue resolved

Changes made in DS.NLM v85.29:
(Supersedes 85.28)
 - QOS delay is not working when client is storming server with bindery
requests

Changes made in DS.NLM v85.28:
(Supersedes 85.27c)
 - Generate key pair function added
 - Quote marks in RDN are added each time an entry is moved
 - LDAP search on high valued entry returns incomplete data
 - Writing streams to 4.x servers via dclient abends server

Last public release:DS.NLM v85.27c:
(Contained in eDir8527.exe - superceded DS8520c.exe)

*******************************************************************************
Changes made in DSREPAIR.NLM v85.20:
Supercedes 85.19
 - DSRepair is attempting to repair clustered servers addresses

Changes made in DSREPAIR.NLM v85.19:
Supercedes 85.18
 - Generate key pair being called and adding private key to server object
 - Inconsistent transitive vector errors in dsrepair log and error count
(Contained in eDir8527.exe - superceded DS8520c.exe)

*******************************************************************************
Changes made in NLDAP.NLM v85.24:
Supercedes 85.23
(Contained in eDir8527.exe - superceded DS8520c.exe)
 - Ldap_compare on password generates -255 error for incorrect password
 - Extra characters inserted when the LDIF file contains hexadecimal data

File Contents:
Self-Extracting File Name: fds8530.exe

Files Included Size Date Time Version Checksum

\
    APPEND.NLM 965 09-29-1998 02:26PM
       DS8.IPS 1689 08-26-2002 03:09PM
   FDS8530.TXT 7939 10-15-2002 07:08PM
      ICMD.MSG 7331 08-24-2000 07:05AM
      ICMD.NLM 32901 08-24-2000 07:06AM
     ISDOS.NLM 1148 02-19-1998 04:42PM
\INSTALL\4
      DS85.ILS 7878 09-30-2002 05:51PM
    SCHEMA.ILS 660 10-01-2002 11:16AM
  SHUTDOWN.ILS 598 07-31-2002 05:24PM
   STARTUP.ILS 1832 10-01-2002 11:16AM
\STARTUP
  DSLOADER.NLM 21479 04-04-2002 03:19PM
\SYS\SYSTEM
        DS.NLM 1432884 09-20-2002 03:13PM
  DSBROWSE.NLM 433543 02-13-2001 01:11PM
       DSI.NLM 111715 08-03-2001 02:02PM
   DSMERGE.NLM 120648 04-22-2002 11:39AM
  DSREPAIR.NLM 293632 08-20-2002 03:02PM
   DSTRACE.NLM 28644 01-29-2002 12:50AM
     NLDAP.NLM 245634 06-19-2002 11:15PM
\SYS\SYSTEM\nls\4
  DSREPAIR.HLP 57583 06-04-2002 09:47PM
  DSREPAIR.MSG 81807 06-06-2002 11:29PM
     NLDAP.MSG 11220 07-31-2001 11:38AM
\SYS\SYSTEM\SCHEMA
     8527C.SCH 349 05-21-2001 09:42AM
    NDS500.SCH 26622 09-19-2001 03:44PM

ADDITIONAL INFORMATION

The information has been provided by <mailto:ereed@novell.com> Ed Reed.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages