From ad@Dunkel.de Fri May 9 11:38:25 1997 Date: Fri, 9 May 1997 12:46:07 MDT From: Axel Dunkel To: BUGTRAQ@NETSPACE.ORG Subject: Security Vulnerability on Novell Netware WWW Server -----BEGIN PGP SIGNED MESSAGE----- --- Dunkel Security Information 2/97 --- Stand: 1997.02.03 Last update: 1997.03.05 Security Vulnerability in Novell (Intra-) Netware Server 0. REDISTRIBUTION This message may be redistributed provided that the origin is properly retained. 1. SYSTEMS Operating Systems: Novell Netware 4.1, Intranetware Programms : PERL.NLM 2. SUMMARY: The PERL language interpreter is always installed and activated when the Novell Web Server is installed. This NLM is accessible via TCP/IP. The PERL.NLM can be exploited to execute arbitrary Perl programs residing anywhere on the netware fileserver. These programs run with kernel privileges, thus circumventing any access restrictions to files and directories. The vulnerability can be used to gain access, read, modify or delete any file on the system. A security hole in a demo program in the Novell Webserver distribution (that is via default installed) can be used to create such a perl script without having (IPX) write access to the server, e.g. from within the InterNet. 3. DETAILS Novell incorporated the PERL language interpreter in their Web Server product. A special version of PERL was developled that allows a PERL daemon to get requests for execution of programs via the RCGI interface. The perl interpreter is accessible via a TCP port (default: 8002). The PERL.NLM can be exploited to execute any perl script residing on the fileserver (e.g. within the user directories). The perl scripts themserves can contain arbitrary code, so for example additional networking code to install own (e.g. proxy) services that can be used to gain further access to the network. Confirmed vulnerable are the PERL.NLM versions delivered with the Novell Webserver 2.5x and the 45day trial version (PERL.NLM version 4.60t) 4. IMPACT The filesystem security of the Netware server is completely circumvented, any user can access, read, modify or delete any file on the fileserver. The possibility to install arbitrary network programs can be exploited to gain further access to the attached networks. Due to a security hole in the demonstration programs that are installed by default, a perl script can be created without having write access to the Netware Server. 5. SOLUTION/WORKAROUNDS Patches provided by Novell should be applied when available. As interim solution a) unload the PERL.NLM using the command UNLOAD PERL at the console prompt. By doing this, you loose the functionality of perl scripts within your webserver. According to Novell, no patch will be released, the new upcoming web server software (3.0, currently in beta) should be used instead when available. Novell CallId at the european support center: 1352436. Updates to this information can be found via WWW: http://www.Dunkel.de/security/dsi/dsi-9702/ Axel Dunkel CERT Dunkel GmbH, Gutenbergstr. 5, D-65830 Kriftel Tel: +49-6192-9988-0, Fax: +49-6192-9988-99 E-Mail: ad@dunkel.de oder cert@CERT.Dunkel.de WWW: http://www.Dunkel.de/ PGP Key available via finger ad@finger.Dunkel.de -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBMx17NEzf+gLrqrKRAQGBFwQAgvVx/xkXYrcAI4csRFX3jvGhhDJVR5yB 5wYPyyKEn1zUhr/ojX55ST4q65ZJtmMng+npSXxofSbmY0RoIDojb/7LcpesoUAO qEascmi4EHg3vSj2/wj6DlKB7LcCEFbtzbgo4PbAAudPSvuD9S+vAj9JZ995E9mR IgeEbKENdKs= =Ds/F -----END PGP SIGNATURE----- --- Systemberatung A. Dunkel GmbH, Gutenbergstr. 5, D-65830 Kriftel Tel.: +49-6192-9988-0, Fax: +49-6192-9988-99, E-Mail: ad@Dunkel.de PGP-Key available via finger ad@finger.Dunkel.de