Netware IPX Admin Session Spoof Vulnerability

The NMRC Pandora program includes the exploit for this. The following is a description of how the exploit works, quoted from the NMRC advisory:

0. Admin client is Packet Signature Level 1, and server is Packet Signature Level 3.
1. Attack box gets Admin's MAC address, and inserts it into the Pandora Online tool. Attacker has the option to adjust other parameters as needed, but the main one is the MAC address.
2. Admin performs actions dealing with NDS that use fragmented packets (normal administrator activity will give us the needed packets quickly). 3. Attack box sends forged request to server, making us security equivalent to Admin.
4. Netware 5 server accepts forged packets.
5. Admin client loses connection from server as its packet sequence is now out of whack.
6. Attacker adjusts security settings for self so that the attacker has full access to entire tree, and removes "equal to Admin", so s/he will not show up on a basic "who's equiv to me" investigation by Admin.


0. This attack will fail in a switched environment since sniffing is involved.
1. This is a race. If the Admin client beats the attacker, the attacker must try again.
2. Obviously the attacker being on the same Ethernet segment as the Admin will help considerably in an attack. In theory this should work if you are anywhere in between the Admin client and the server, although you will need to use the MAC address of the router interface the Admin's session is coming from. At best, this may not work at all, but is still theoretically possible.
3. In theory this could be adapted to a Netware/IP environment, as Novell's TCP/IP stack is vulnerable to sequence number prediction. We have not explored adapting Pandora exploit code over to a pure IP environment, but will explore this possibility in future Pandora releases.


Privacy Statement
Copyright 2010, SecurityFocus