Novell Netware PERL.NLM vulnerability

Date: Fri, 9 May 1997 12:43:51 MDT
From: Axel Dunkel <ad@Dunkel.de>
To: best-of-security@suburbia.net
Subject: BoS:  Security Vulnerability on Novell Netware WWW Server

X-Premail-Auth: Key matching expected Key ID EBAAB291 not found


-----BEGIN PGP SIGNED MESSAGE-----



                 --- Dunkel Security Information 2/97 ---
                          Stand: 1997.02.03
                       Last update: 1997.03.05

       Security Vulnerability in Novell (Intra-) Netware Server


0. REDISTRIBUTION

This message may be redistributed provided that the origin is properly
retained.

1. SYSTEMS

Operating Systems: Novell Netware 4.1, Intranetware
Programms        : PERL.NLM


2. SUMMARY:

The PERL language interpreter is always installed and activated when the
Novell Web Server is installed. This NLM is accessible via TCP/IP.

The PERL.NLM can be exploited to execute arbitrary Perl programs residing
anywhere on the netware fileserver. These programs run with kernel
privileges, thus circumventing any access restrictions to files and
directories.

The vulnerability can be used to gain access, read, modify or delete any
file on the system.

A security hole in a demo program in the Novell Webserver distribution (that is
via default installed) can be used to create such a perl script without
having (IPX) write access to the server, e.g. from within the InterNet.


3. DETAILS

Novell incorporated the PERL language interpreter in their Web Server product.
A special version of PERL was developled that allows a PERL daemon to get
requests for execution of programs via the RCGI interface.

The perl interpreter is accessible via a TCP port (default: 8002).

The PERL.NLM can be exploited to execute any perl script residing on the
fileserver (e.g. within the user directories). The perl scripts themserves
can contain arbitrary code, so for example additional networking code
to install own (e.g. proxy) services that can be used to gain further
access to the network.

Confirmed vulnerable are the PERL.NLM versions delivered with the Novell
Webserver 2.5x and the 45day trial version (PERL.NLM version 4.60t)


4. IMPACT

The filesystem security of the Netware server is completely circumvented,
any user can access, read, modify or delete any file on the fileserver.

The possibility to install arbitrary network programs can be exploited to
gain further access to the attached networks.

Due to a security hole in the demonstration programs that are installed by
default, a perl script can be created without having write access to the
Netware Server.


5. SOLUTION/WORKAROUNDS

Patches provided by Novell should be applied when available. As interim
solution 

a) unload the PERL.NLM using the command

    UNLOAD PERL

   at the console prompt. By doing this, you loose the functionality of perl
   scripts within your webserver.

According to Novell, no patch will be released, the new upcoming web server
software (3.0, currently in beta) should be used instead when available.
Novell CallId at the european support center: 1352436.

Updates to this information can be found via WWW:
  http://www.Dunkel.de/security/dsi/dsi-9702/

Axel Dunkel

CERT Dunkel GmbH, Gutenbergstr. 5, D-65830 Kriftel
  Tel: +49-6192-9988-0, Fax: +49-6192-9988-99
  E-Mail: ad@dunkel.de oder cert@CERT.Dunkel.de
  WWW: http://www.Dunkel.de/
  PGP Key available via finger ad@finger.Dunkel.de



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBMx17NEzf+gLrqrKRAQGBFwQAgvVx/xkXYrcAI4csRFX3jvGhhDJVR5yB
5wYPyyKEn1zUhr/ojX55ST4q65ZJtmMng+npSXxofSbmY0RoIDojb/7LcpesoUAO
qEascmi4EHg3vSj2/wj6DlKB7LcCEFbtzbgo4PbAAudPSvuD9S+vAj9JZ995E9mR
IgeEbKENdKs=
=Ds/F
-----END PGP SIGNATURE-----


---
Systemberatung A. Dunkel GmbH, Gutenbergstr. 5, D-65830 Kriftel
Tel.: +49-6192-9988-0, Fax: +49-6192-9988-99,   E-Mail: ad@Dunkel.de
              PGP-Key available via finger ad@finger.Dunkel.de