Fun With NetWare 5

by Khyron

Novell has been used for many years as a network operating system.  The advantages that it has enjoyed in the past are low hardware requirements, speed, and security.

"In early fall of 1997, Novell successfully completed the National Computer Security Center (NCSC) Class C2 security evaluation of NetWare 4.11, the server operating system included in IntranetWare.  As announced on October 7, 1997, NetWare 4.11 is the first 'off-the-shelf' commercial operating system to be granted a Class C2 rating under the NCSC's Red Book of network criteria.  It is thus approved for use in both government agencies and private sector organizations that require secure network solutions."

    - Novell AppNotes November/December 1997 - "Achieving C2 Security in a Network Environment"

This is a quick overview of what NetWare is, what is changing, and what the current attacks are that can result in damage and or greater privileges to users.

Novell Directory Services (NDS)

NetWare uses a Directory (spelled with a capital D to avoid confusion with the DOS directories, and are dependent upon the machine that they are based upon.)  Think of the NDS directory like a telephone directory i.e., the White and Yellow pages.  Both contain information on where, what, and who.  NDS is based closely on the X.500 Directory standard.  This allows for users, printers, and applications to log into a Directory rather than an individual PC, server, etc.  The advantages to this are many primarily reduced administration because users no longer need logins for every server on a network.

As a side note, Novell has released NDS for Windows NT which allows for the use of Novell's Directory on an NT server (replacing Microsoft's domain structure and bringing it into NDS), allowing for one logon, one password.

Pure IP

NetWare 5 has moved from IPX/SPX to TCP/IP as its core protocol.  TCP/IP is now a native protocol (although you can still install IPX/SPX as the core protocol).  This could create some new and interesting security issues.

The X Window Connection

NetWare 5 has an entirely rewritten kernel from the previous versions.  This kernel has support for Java and is able to run Java Virtual Machines (JVM).  As such they have been able to port a Java version of XFree86 (X Window System for those who don't know).  This X Window environment allows Java applets, JavaScript, or JavaBeans to run in the X Window environment.  The big advantage (or disadvantage) is that now with the Java applet CONSOLEONE, administrators are able to log into, and administer, the NetWare server from the console using a GUI.  CONSOLEONE allows the creation, deletion, and modification of any attribute you can manage with NWADMIN.EXE (Novell 4.x's admin utility).

An improperly secured server will be an extreme liability.  Also with the Java console comes the biggest limitations.  You need a minimum of 64 MB of ram to install and run NetWare using X.  Also, it suffers from Java's biggest flaw.  It is slow.  On a Pentium 200 with 128 MB of RAM, it took a full 15-20 seconds for the screen to refresh between modifications in CONSOLEONE.

Novell Storage Services (NSS)

NSS is a replacement file system.  NSS is based on the Andrew File System (AFS), which is considered to be the most advanced file system in the world.  Novell has created 3 terabyte volumes with over 1 billion files on it.  NSS only requires 8 MB of available RAM, and with this can mount any size volume, from 1 GB to 10 TB, in less than one second after a clean shutdown, and less than a minute after a crash, regardless of the number of files contained on it.  It is also abstracted from NetWare - in actuality NSS emulates the NetWare File System, and because of this abstraction, NSS can and is being developed for AIX, UnixWare, Solaris, and NT.  NSS is not installed by default, but Novell has stated that a convert utility will be available with the shipping version of NetWare 5.

BorderManager (IP-to-IPX Gateway)

BorderManager is Novell's web-caching firewall product.  It allows logins from remote locations to NetWare resources using Lightweight Directory Access Protocol (LDAP).  The big advantage to this product would be in the way it can be used to protect NetWare servers from external Internet attacks.  The easiest way that this is handled is using BorderManager's IP-to-IPX gateway.  BorderManager talks to your router, ISP, or whatever in IP, and passes this information back to the client.

Security Issues

The default administration account for NetWare 2.2 - 3.12 (the most common flavor found in small businesses and schools, but being replaced by NT and NetWare 4.1x) is supervisor with no password as the default setup.

For 4.xx servers the default account is admin, but it requires a password to be assigned at installation time.  So there is not much hope of gaining access this way.  Or is there?

The best hope is to have physical access to the server.  There are many utilities and other nasties that you can do if you have physical access to the location of the server.  This is especially true now that NetWare 5 will allow administration and execution of Java directly at the server.  The BURGLAR.NLM (you can find it floating around the flotsam of the net) will allow you to grant any account supervisor equivalency rights.  This attack exploits a weakness in the logon and NetBIOS timings that NetWare uses to access the bindery.

Under NetWare 4.x there is no bindery, so the container you are logging into must have its bindery context set.  Also, under NetWare 4.x Support Pack 3 or higher (the C2 certified stuff), BURGLAR.NLM does not work.

Novell has a ton of good information on how their product works and the security issues that need fixing in their AppNotes.  These are available at their web site www.novell.com.