Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » IRM - Netware Web Server 5.1

IRM - Netware Web Server 5.1

by Nikola Strahija on December 20th, 2001 It is possible to alter the URL to permit the contents of any file on the system to be viewed even those situated outside the web root. Using this method it is possible to view important configuration files including the autoexec.ncf file which contains the remote console password.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
IRM Security Advisory No. 002

Netware Web Server 5.1 Sample Page Source Disclosure

Vulnerablity Type / Importance: Information Leakage / High

Problem discovered: November 18th 2001
Vendor contacted: November 20th 2001, November 29th 2001
Advisory published: December 11th 2001
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Abstract:
~~~~~~~~~

Novell's Netware 5.1 is shipped with a Web Server that is installed by
default and contains various sample web pages. There is a "viewcode"
application that is run through a Netware Loadable Module (NLM), which
allows the source code of a default web page to be viewed. However, the
NLM has the sample page name passed to it through a URL containing the
path to the file. It is possible to alter the URL to permit the contents
of any file on the system to be viewed even those situated outside the
web root. Using this method it is possible to view important
configuration files including the autoexec.ncf file which contains the
remote console password.

Description:
~~~~~~~~~~~~

Netware is an Operating System developed by Novell
(http://www.novell.com) and is used by many organisations for user file
and print sharing. Version 5.1 of the Netware Operating system comes
with a web server that will be installed by default.
Included on the web server are a wide variety of sample pages that
demonstrate the flexibility and features of the product. However, one
sample page uses a Netware Loadable Module (NLM) called sewse.nlm to
call a script called viewcode.jse. The viewcode.jse file is designed to
be used to display the source code of sample files called httplist.htm
and httplist.jse. These file names are passed as parameters to the NLM
through a URL such as (URL may wrap):

http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist/httplist.htm+httplist/httplist.jse

The application checks the files being requested by requiring that the
httplist directory is specified in the path to the files to be viewed.
However, it is possible to traverse directories using /../ after
httplist. The sewse.nlm module runs with sufficient permissions whereby
it possible to traverse to any file on the file system and view the
contents.
There are many files that may be of interest to an attacker and these
include:

SYS:ETCNETINFO.CFG - Can contain a copy of the rconsole
password
SYS:SYSTEMAUTOEXEC.NCF - Contains the rconsole password
SYS:ETCFTPAUDIT.LOG - Contains valid usernames for password
guessing attempts

An attacker could use the information gained to lauch further attacks or
to gain console access using the rconsole password.
An example of the URL used to view the autoexec.ncf is (URL may wrap):

http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist+httplist/../../../../../system/autoexec.ncf

There are Novell best practices which include encrypting the rconsole
password in the autoexec.ncf file. However, there are tools available
which can be used to break this encryption. Another Novell
recommendation is to use a Console Screensaver which requires the admin
password to be entered after a rconsole connection has been made.
This issue is similar to the problem discovered with the convert.bas
script that shipped with Netware Web Server version 2.0. This previous
issue is recorded as Bugtraq ID 2025 and CVE-1999-0175.

Tested Versions:
~~~~~~ ~~~~~~~~~
Netware Web Server 5.1

Tested Operating Systems:
~~~~~~ ~~~~~~~~~ ~~~~~~~~
Netware Operating System version 5.1

Vendor & Patch Information:
~~~~~~ ~ ~~~~~ ~~~~~~~~~~~~
The vendor of this product, Novell, was contacted via email using the
address listed as their 'community relations' on 20th November 2001.
When no reply was received to this email after nine days, another
email was sent on 29th November 2001 to the same address, and copied
to '[email protected]'. No reply from either address had been received
as of December 11th 2001, and therefore the vulnerability
is being released to Bugtraq.


Workarounds:
~~~~~~~~~~~~
A workaround involves removing all sample web pages and sample NLMs.


Credits:
~~~~~~~~
Research & Advisory: Martyn Ruks ([email protected])

Thanks: B-r00t ([email protected])
Macavity ([email protected])
morphsta ([email protected])
Blunt ([email protected])
Ant ([email protected])
Shlug ([email protected])
indig0 ([email protected])



Disclaimer:
~~~~~~~~~~~
All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.

A copy of this advisory may be found at
http://www.irmplc.com/advisories

The PGP key used to sign IRM advisories can be obtained from the above
URL, or from keyserver.net and its mirrors.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Information Risk Management Plc.
http://www.irmplc.com, [email protected]
22 Buckingham Gate
London
SW1E 6LB
+44 (0)207 808 6420


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjwZ3NsACgkQDxTYNSJMcgWGFQCeNAPUrnfFwNOSoTEjsBheukVV
6TkAnjH0bWqkNTA1AMJ21AcepQ1TVzwS
=QCO+
-----END PGP SIGNATURE-----


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »