SUMMARY
Network World reported the discovery of a security problem within the
Novell NetWare operating system in their October 5, 1992 and October 12,
1992 editions. According to the article, a research student at a university
in the Netherlands demonstrated the ability to impersonate the session of
an active administrator on a NetWare server, allowing an unauthorized user
to gain unrestricted access. This problem was subsequently reported to the
NGN, or Dutch Novell User's Group.
MORE INFORMATION
First, here's how to impersonate an active administrative user under
NetWare:
Step #2 above is not possible with the NetBEUI transport driver. If an impersonating workstation sends an out-of-sequence frame, the server sends a FRMR, dropping the link and forcing a renegotiation of the session. The NetBEUI transport is not implemented this way, and it is not a security feature. Novell's fix is to disallow the brute force method of synching the transport frame sequences, and this is already built into NetBEUI. Note that one could 'watch' the administrator's machine and see what frame they are on and thus bypass this simple check. With LAN Manager, a user cannot attach to another server simply by having the session key of the administrator. Each new session to a (different) server requires a completely new session key acquired ONLY by knowing the method of encryption. If an impersonating workstation tries to use its own session and impersonate the administrator's session by sending the admin's "session key," the LAN Manager server would reject it. In this case, the server checks the Tree ID (TID) of the incoming client SMB, retrieves the authenticated User ID associated with the TID, and compares it against the User ID sent in the client SMB request. If these don't match, then the client SMB request fails. The basic point is that the transport level in NetWare contains the security elements. Simply by circumventing the redirector and going directly to the transport, it's possible to interact with the security on the server. In LAN Manager, the transport has no concept of security--only at the redirector SMB level do you get into security concepts. To do what the Dutch hackers did, such as making a guest into an administrator, one must remote an API. That means having the correct frame numbers at the transport level, the correct TID at the redirector level, and the correct UID at the server level. If one of these is incorrect, the SMB is rejected. Additional query words: 2.00 2.0 2.10 2.1
Keywords : |
Last Reviewed: November 17, 1999 © 2000 Microsoft Corporation. All rights reserved. Terms of Use. |