Netware 4.1 puts a special version of perl on TCP port 8002.
Axel Dunkel <ad@Dunkel.de>
access, read, modify or delete any file on Netware 4.1 or Intranetware systems
Novell Netware 4.1, Intranetware
5 April 1997
Date: Fri, 9 May 1997 12:43:51 MDT
From: Axel Dunkel <ad@Dunkel.de>
Subject: BoS: Security Vulnerability on Novell Netware WWW Server
X-Premail-Auth: Key matching expected Key ID EBAAB291 not found
-----BEGIN PGP SIGNED MESSAGE-----
--- Dunkel Security Information 2/97 ---
Last update: 1997.03.05
Security Vulnerability in Novell (Intra-) Netware Server
This message may be redistributed provided that the origin is properly
Operating Systems: Novell Netware 4.1, Intranetware
Programms : PERL.NLM
The PERL language interpreter is always installed and activated when the
Novell Web Server is installed. This NLM is accessible via TCP/IP.
The PERL.NLM can be exploited to execute arbitrary Perl programs residing
anywhere on the netware fileserver. These programs run with kernel
privileges, thus circumventing any access restrictions to files and
The vulnerability can be used to gain access, read, modify or delete any
file on the system.
A security hole in a demo program in the Novell Webserver distribution (that is
via default installed) can be used to create such a perl script without
having (IPX) write access to the server, e.g. from within the InterNet.
Novell incorporated the PERL language interpreter in their Web Server product.
A special version of PERL was developled that allows a PERL daemon to get
requests for execution of programs via the RCGI interface.
The perl interpreter is accessible via a TCP port (default: 8002).
The PERL.NLM can be exploited to execute any perl script residing on the
fileserver (e.g. within the user directories). The perl scripts themserves
can contain arbitrary code, so for example additional networking code
to install own (e.g. proxy) services that can be used to gain further
access to the network.
Confirmed vulnerable are the PERL.NLM versions delivered with the Novell
Webserver 2.5x and the 45day trial version (PERL.NLM version 4.60t)
The filesystem security of the Netware server is completely circumvented,
any user can access, read, modify or delete any file on the fileserver.
The possibility to install arbitrary network programs can be exploited to
gain further access to the attached networks.
Due to a security hole in the demonstration programs that are installed by
default, a perl script can be created without having write access to the
Patches provided by Novell should be applied when available. As interim
a) unload the PERL.NLM using the command
at the console prompt. By doing this, you loose the functionality of perl
scripts within your webserver.
According to Novell, no patch will be released, the new upcoming web server
software (3.0, currently in beta) should be used instead when available.
Novell CallId at the european support center: 1352436.
Updates to this information can be found via WWW:
CERT Dunkel GmbH, Gutenbergstr. 5, D-65830 Kriftel
Tel: +49-6192-9988-0, Fax: +49-6192-9988-99
E-Mail: firstname.lastname@example.org oder cert@CERT.Dunkel.de
PGP Key available via finger ad@finger.Dunkel.de
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
Systemberatung A. Dunkel GmbH, Gutenbergstr. 5, D-65830 Kriftel
Tel.: +49-6192-9988-0, Fax: +49-6192-9988-99, E-Mail: ad@Dunkel.de
PGP-Key available via finger ad@finger.Dunkel.de
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: