Novell Netware 4.1/4.11 - SP5B NDS Default Rights

ID EDB-ID:19365
Type exploitdb
Reporter Simple Nomad
Modified 1999-04-09T00:00:00



Non-authenticated clients have access to CX.EXE and NLIST.EXE in the SYS:LOGIN directory of a Netware 4.x server. The default root access is set to Read. Therefore, by using various switch options in CX.EXE and NLIST.EXE, anyone connecting to the server can gain access to NDS tree information such as account names, group names and membership, tree layout etc. By attaching to different servers and switching contexts an intruder could gain an understanding of the NDS structure for the entire network. 

The following commands can be issued by a client connected to a NetWare 4.x or IntranetWare server, revealing most if not all user account names, in addition to most of if not the entire tree layout.
CX /T /A /R - list all readable user and container object names in tree, and can give a rather accurate layout of the containers and basic contents
NLIST USER /D - list info regarding user names in current context
NLIST GROUPS /D - list groups and group membership in current context
NLIST SERVER /D - list server names and OS versions, and if attached reveal if accounting is installed or not
NLIST /OT=* /DYN /D - list all readable objects, including dynamic objects, names of NDS trees, etc