-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- IRM Security Advisory No. 002 Netware Web Server 5.1 Sample Page Source Disclosure Vulnerablity Type / Importance: Information Leakage / High Problem discovered: November 18th 2001 Vendor contacted: November 20th 2001, November 29th 2001 Advisory published: December 11th 2001 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Abstract: ~~~~~~~~~ Novell's Netware 5.1 is shipped with a Web Server that is installed by default and contains various sample web pages. There is a "viewcode" application that is run through a Netware Loadable Module (NLM), which allows the source code of a default web page to be viewed. However, the NLM has the sample page name passed to it through a URL containing the path to the file. It is possible to alter the URL to permit the contents of any file on the system to be viewed even those situated outside the web root. Using this method it is possible to view important configuration files including the autoexec.ncf file which contains the remote console password. Description: ~~~~~~~~~~~~ Netware is an Operating System developed by Novell (http://www.novell.com) and is used by many organisations for user file and print sharing. Version 5.1 of the Netware Operating system comes with a web server that will be installed by default. Included on the web server are a wide variety of sample pages that demonstrate the flexibility and features of the product. However, one sample page uses a Netware Loadable Module (NLM) called sewse.nlm to call a script called viewcode.jse. The viewcode.jse file is designed to be used to display the source code of sample files called httplist.htm and httplist.jse. These file names are passed as parameters to the NLM through a URL such as (URL may wrap): http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist/httplist.htm+httplist/httplist.jse The application checks the files being requested by requiring that the httplist directory is specified in the path to the files to be viewed. However, it is possible to traverse directories using /../ after httplist. The sewse.nlm module runs with sufficient permissions whereby it possible to traverse to any file on the file system and view the contents. There are many files that may be of interest to an attacker and these include: SYS:\ETC\NETINFO.CFG - Can contain a copy of the rconsole password SYS:\SYSTEM\AUTOEXEC.NCF - Contains the rconsole password SYS:\ETC\FTPAUDIT.LOG - Contains valid usernames for password guessing attempts An attacker could use the information gained to lauch further attacks or to gain console access using the rconsole password. An example of the URL used to view the autoexec.ncf is (URL may wrap): http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist+httplist/../../../../../system/autoexec.ncf There are Novell best practices which include encrypting the rconsole password in the autoexec.ncf file. However, there are tools available which can be used to break this encryption. Another Novell recommendation is to use a Console Screensaver which requires the admin password to be entered after a rconsole connection has been made. This issue is similar to the problem discovered with the convert.bas script that shipped with Netware Web Server version 2.0. This previous issue is recorded as Bugtraq ID 2025 and CVE-1999-0175. Tested Versions: ~~~~~~ ~~~~~~~~~ Netware Web Server 5.1 Tested Operating Systems: ~~~~~~ ~~~~~~~~~ ~~~~~~~~ Netware Operating System version 5.1 Vendor & Patch Information: ~~~~~~ ~ ~~~~~ ~~~~~~~~~~~~ The vendor of this product, Novell, was contacted via email using the address listed as their 'community relations' on 20th November 2001. When no reply was received to this email after nine days, another email was sent on 29th November 2001 to the same address, and copied to 'secure@novell.com'. No reply from either address had been received as of December 11th 2001, and therefore the vulnerability is being released to Bugtraq. Workarounds: ~~~~~~~~~~~~ A workaround involves removing all sample web pages and sample NLMs. Credits: ~~~~~~~~ Research & Advisory: Martyn Ruks (martyn.ruks@irmplc.com) Thanks: B-r00t (br00t@irmplc.com) Macavity (macavity@irmplc.com) morphsta (morph@irmplc.com) Blunt (blunt@irmplc.com) Ant (ant@irmplc.com) Shlug (shlug@irmplc.com) indig0 (indig0@talk21.com) Disclaimer: ~~~~~~~~~~~ All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information. A copy of this advisory may be found at http://www.irmplc.com/advisories The PGP key used to sign IRM advisories can be obtained from the above URL, or from keyserver.net and its mirrors. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Information Risk Management Plc. http://www.irmplc.com, info@irmplc.com 22 Buckingham Gate London SW1E 6LB +44 (0)207 808 6420 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjwZ3NsACgkQDxTYNSJMcgWGFQCeNAPUrnfFwNOSoTEjsBheukVV 6TkAnjH0bWqkNTA1AMJ21AcepQ1TVzwS =QCO+ -----END PGP SIGNATURE-----
