CVE-1999-1086
CVSS10.0
发布时间 :1999-07-15 00:00:00
修订时间 :2016-10-17 22:01:12
NMCOS    

[原文]Novell 5 and earlier, when running over IPX with a packet signature level less than 3, allows remote attackers to gain administrator privileges by spoofing the MAC address in IPC fragmented packets that make NetWare Core Protocol (NCP) calls.


[CNNVD]Netware IPX管理会话伪骗漏洞(CNNVD-199907-018)

        Novell 5及之前版本,在运行于包签名小于3级的IPX时存在漏洞。远程攻击者通过伪造IPC碎片数据包中的MAC地址获得管理特权,其中的IPC碎片数据包会引起NetWare Core Protocol (NCP)的调用。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:novell:netware:4.1Novell NetWare 4.1
cpe:/o:novell:netware:4.11:sp5b
cpe:/o:novell:netware:5.0Novell NetWare 5.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1086
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1086
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199907-018
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=93214475111651&w=2
(UNKNOWN)  BUGTRAQ  19990715 NMRC Advisory: Netware 5 Client Hijacking
http://www.securityfocus.com/bid/528
(VENDOR_ADVISORY)  BID  528

- 漏洞信息

Netware IPX管理会话伪骗漏洞
危急 配置错误
1999-07-15 00:00:00 2005-10-20 00:00:00
远程※本地  
        Novell 5及之前版本,在运行于包签名小于3级的IPX时存在漏洞。远程攻击者通过伪造IPC碎片数据包中的MAC地址获得管理特权,其中的IPC碎片数据包会引起NetWare Core Protocol (NCP)的调用。

- 公告与补丁

        Quoted verbatim from the NMRC advisory:
        Use Packet Signature Level 3 everywhere, and make sure clients cannot touch their own signature settings. LAN Admins should never access a server unless using Level 3, and the security on the workstation should be restrictive enough to prevent unauthorized adjustments (i.e. use a locked-down NT client with no server services running, behind a locked door, although this simply places your trust in Microsoft). Use switched Ethernet.

- 漏洞信息

10921
Novell IPX NCP Fragmented IPC Packet Privilege Escalation

- 漏洞描述

Unknown or Incomplete

- 时间线

1999-07-15 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Netware IPX Admin Session Spoof Vulnerability
Configuration Error 528
Yes Yes
1999-07-15 12:00:00 2009-07-11 12:56:00
NMRC advisory posted to Bugtraq on July 16, 1999 by Simple Nomad

- 受影响的程序版本

Novell Netware 5.0
Novell Netware 4.11 SP5B
Novell Netware 4.1

- 漏洞讨论

Novell has a packet signature mechanism to verify the source of certain types of packets. This mechanism can be configured to be used always (level 3), if possible by the other side (level 2), if requested by the other side (level 1), or never (level 0). Unless the signature level is set to 3, IPX fragmented requests/replies (NCP call 0x68) are not signed. If the client is set at 1, part of a session can be spoofed. If the session is an Admin session, Admin privileges can be gained.

- 漏洞利用

The NMRC Pandora program includes the exploit for this. The following is a description of how the exploit works, quoted from the NMRC advisory:

0. Admin client is Packet Signature Level 1, and server is Packet Signature Level 3.
1. Attack box gets Admin's MAC address, and inserts it into the Pandora Online tool. Attacker has the option to adjust other parameters as needed, but the main one is the MAC address.
2. Admin performs actions dealing with NDS that use fragmented packets (normal administrator activity will give us the needed packets quickly). 3. Attack box sends forged request to server, making us security equivalent to Admin.
4. Netware 5 server accepts forged packets.
5. Admin client loses connection from server as its packet sequence is now out of whack.
6. Attacker adjusts security settings for self so that the attacker has full access to entire tree, and removes "equal to Admin", so s/he will not show up on a basic "who's equiv to me" investigation by Admin.

Caveats:

0. This attack will fail in a switched environment since sniffing is involved.
1. This is a race. If the Admin client beats the attacker, the attacker must try again.
2. Obviously the attacker being on the same Ethernet segment as the Admin will help considerably in an attack. In theory this should work if you are anywhere in between the Admin client and the server, although you will need to use the MAC address of the router interface the Admin's session is coming from. At best, this may not work at all, but is still theoretically possible.
3. In theory this could be adapted to a Netware/IP environment, as Novell's TCP/IP stack is vulnerable to sequence number prediction. We have not explored adapting Pandora exploit code over to a pure IP environment, but will explore this possibility in future Pandora releases.

- 解决方案

Quoted verbatim from the NMRC advisory:

Use Packet Signature Level 3 everywhere, and make sure clients cannot touch their own signature settings. LAN Admins should never access a server unless using Level 3, and the security on the workstation should be restrictive enough to prevent unauthorized adjustments (i.e. use a locked-down NT client with no server services running, behind a locked door, although this simply places your trust in Microsoft). Use switched Ethernet.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站