NetWare Security Leak and LAN Manager (99737)




This article was previously published under Q99737

SUMMARY

Network World reported the discovery of a security problem within the Novell NetWare operating system in their October 5, 1992 and October 12, 1992 editions. According to the article, a research student at a university in the Netherlands demonstrated the ability to impersonate the session of an active administrator on a NetWare server, allowing an unauthorized user to gain unrestricted access. This problem was subsequently reported to the NGN, or Dutch Novell User's Group.

While the report states that this security problem also exists in any NetBIOS-based network operating system, including IBM LAN Server and Microsoft LAN Manager, this is not the case, for the reasons described below.

MORE INFORMATION

First, here's how to impersonate an active administrative user under NetWare:

  1. Get a "session key" from an administrator's session by watching for it on the wire.
  2. Synchronize the frame number of the transport with that of the administrator's session. The specific example was to keep sending frame 255 until it was actually 255's turn.
  3. Once frame 255 is acknowledged, send the packets that modify user accounts, attach to other servers etc., using the session key from the administrator's session retrieved in step #1 above.
This leads to multiple discussions about Microsoft LAN Manager, which prevent this kind of impersonation from occurring:

Step #2 above is not possible with the NetBEUI transport driver. If an impersonating workstation sends an out-of-sequence frame, the server sends a FRMR, dropping the link and forcing a renegotiation of the session. The NetBEUI transport is not implemented this way, and it is not a security feature. Novell's fix is to disallow the brute force method of synching the transport frame sequences, and this is already built into NetBEUI. Note that one could 'watch' the administrator's machine and see what frame they are on and thus bypass this simple check.

With LAN Manager, a user cannot attach to another server simply by having the session key of the administrator. Each new session to a (different) server requires a completely new session key acquired ONLY by knowing the method of encryption.

If an impersonating workstation tries to use its own session and impersonate the administrator's session by sending the admin's "session key," the LAN Manager server would reject it. In this case, the server checks the Tree ID (TID) of the incoming client SMB, retrieves the authenticated User ID associated with the TID, and compares it against the User ID sent in the client SMB request. If these don't match, then the client SMB request fails.

The basic point is that the transport level in NetWare contains the security elements. Simply by circumventing the redirector and going directly to the transport, it's possible to interact with the security on the server. In LAN Manager, the transport has no concept of security--only at the redirector SMB level do you get into security concepts. To do what the Dutch hackers did, such as making a guest into an administrator, one must remote an API. That means having the correct frame numbers at the transport level, the correct TID at the redirector level, and the correct UID at the server level. If one of these is incorrect, the SMB is rejected.
Modification Type: Major Last Reviewed: 7/30/2001
Keywords: KB99737
©2002 Microsoft Corporation. All rights reserved.