_______________________________________________________________________________ Nomad Mobile Research Centre A D V I S O R Y www.nmrc.org Jitsu-Disk [jitsu@nmrc.org] Simple Nomad [thegnome@nmrc.org] 22Nov1999 Revised 23Nov1999 _______________________________________________________________________________ Platform : Novell Netware 5.x Application : The Network Severity : Medium Synopsis -------- Using sniffing techniques is it possible to recover files during the transfer between server and workstation. After receiving numerous emails asking for more in-depth explanation, we are re-releasing this advisory with more data. Tested configuration -------------------- Testing was done with the following configuration : Novell Netware 5.x Service Pack 3 Problem(s) Reported ------------------- The Packet Signature feature of Netware simply signs packets, and affords no encryption. This means files that are moved from server to workstation can be copied on the fly by a rogue workstation using sniffing techniques. Even in burst mode the files can still be grabbed. Proof of concept code is included in the recently released Pandora v4 Beta 2. Any file that is transferred across the network can potentially be sniffed. Any file copied down from the server can be sniffed and silently copied off to the intruder's workstation. This includes executables that were launched from the server, word processing documents, spreadsheets, and anything else that gets loaded up into a workstations's RAM. For example, if you are a system administrator and you drag and drop an NCF file from one server to another via Explorer, this gets copied to RAM in your workstation and therefore can be sniffed and copied by another individual running the new Pandora. We do realize this is not a new issue, as it has always been around. We just made it a little easier to do this on the fly. Solution/Workaround ------------------- Two approaches will work to prevent this type of attack. First off, if you are in a switched environment, sniffing attacks will not work, so you could move to switched Ethernet as a possible solution. Secondly, you could configure all of your servers with BorderManager VPN 3 and make all client machines authenticate that way. Granted if you have a large shop this will require larger servers, touching every client, etc. and then making sure you specifically configure the VPN software to encrypt everything (BorderManager allows you to select what parts of the transmission get encrypted to help improve throughput). We did not test these workarounds, but logically they should work. Comments/Theory --------------- Since it is possible to intercept the download it is completely possible to intercept the upload as well. It also implies the possibility of injecting data into the stream, modifying the files as they fly by. While Packet Signature is supposed to prevent this type of activity, as stated in previous NMRC documentation (http://www.nmrc.org/pandora/ncp.txt) unless you are using Level 3 on the server Packet Signature behaves "differently", and allows an attacker to forge packet signatures of 0xffffffff. In cases where Packet Signature Level 3 is being used, it is theoretically possible to modify packets on the fly as only the first few dozen bytes are signed, and in some cases (such as IPX fragments) a few packets are not signed. This allows for the possibility of data diddling at the least. It would also suggest that any workstation running EXEs off of the server be "trojaned" on the fly -- with a little careful planning you could inject an EXE that would be run, followed by the running of the real EXE. This also is not a new technique, and was originally discussed by Greg Miller several years ago. For example, for Packet Signature to work, a user must be authenticated to the server. During the process of launching the login.exe off of the server, there is a zero knowledge state where the user is not authenticated but launching code off of the server. Greg Miller released spooflog (see http://www.nmrc.org/faqs/netware/a-02.html for fully commented source code), which in theory could readily be adapted to Netware 5.x with a bit of "Pandorazation", taking advantage of the knowledge gained by previous Pandora hacks that rely upon various Packet Signature settings. To prevent this type of theoretical attack, it is recommended that Packet Signature Level 3 be used on both the server and client side. In cases where you have older Netware-aware equipment (such as old HP printers) or non-Novell software (Microsoft's Netware client), setting the server to Level 3 might prevent some resources from talking to the server. Before you ask if this theory is being coded by NMRC (specifically Jitsu, the NCP expert), let us just state that we are planning on concentrating on Netware/IP integration, and moving toward libnet/libpcap implementation of the Linux version of Pandora, and would expect that IPX-based attacks against Netware servers will become a thing of the past. Yet another workaround -- move to Netware/IP. Novell wants you to anyway. w00note ------- This advisory is re-released in the spirit of w00giving, a time of thanks by hackers all across the world for the software vendors who enrich our idle time with so many opportunities. _______________________________________________________________________________