Netware Security Leak Not Reproducible in LAN Manager (102720)


The information in this article applies to:

  • Microsoft LAN Manager 2.0
  • Microsoft LAN Manager 2.1
This article was previously published under Q102720

SUMMARY

In their October 5th and 12th (1992) issues, "Network World" reported a security problem discovered within the Novell Netware operating system. The articles state that a research student at a Netherlands university impersonated the session of an active administrator on a Netware server, gaining unrestricted access. This problem was reported to the Dutch Novell User's Group (NGN).

The report stated that this security problem also exists in any NetBIOS-based network operating system, including IBM LAN Server and Microsoft LAN Manager, but this is not the case. The facts are discussed below.

MORE INFORMATION

First, here's the basic method for impersonating an active administrative user under Netware:

  1. Get a "session key" from an administrator's session by watching for it on the wire.
  2. Synchronize the transport frame number and the administrator's session frame number. The specific example was to keep sending frame 255 until it was actually 255's turn.
  3. Once frame 255 is acknowledged, send the packets that modify user accounts, attach to other servers etc., using the session key from the administrator's session retrieved in step #1 above.
Microsoft LAN Manager prevents this kind of impersonation in several ways:

Step #2 (frame number synchronization) is not possible with the NetBEUI transport driver. If the impersonating workstation sends an out-of-sequence frame, the server sends an FRMR, thus dropping the link and forcing a renegotiation of the session. This is basic NetBEUI transport implementation, not a security feature. Novell incorporates the same capability as a fix. NOTE: an impersonator could simply 'watch' the administrator's machine and see what frame they are on and thus bypass this simple check.

With LAN Manager, a user cannot attach to another server simply by having the session key of the administrator. Each new session to a (different) server requires a completely new session key, and it cannot be obtained without the encryption method.

If the impersonating workstation tries to use its own session and impersonate the administrator's session by sending the admin's "session key," the LAN Manager server rejects it. The server checks the tree ID (TID) of the incoming client server message block (SMB), retrieves the authenticated user ID associated with the TID, and compares it against the user ID sent in the client SMB request. If these don't match, the server rejects the client SMB request.

The important point is that security elements are part of the Netware transport level: if you want to interact with security on the server, all you have to do is circumvent the redirector and go directly to the transport. In LAN Manager, security is handled at the redirector SMB level--the transport is not involved. To impersonate an administrator as the Dutch hacker did, you have to remote an API, and that means having the correct frame numbers at the transport level, the correct TID at the redirector level, and the correct UID at the server level. If you miss any of these, the SMB is rejected.
Modification Type:MajorLast Reviewed:9/30/2003
Keywords:KB102720
©2003 Microsoft Corporation. All rights reserved.