Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: RE: NetWare Screensaver Authentication Bypass From The Local Console
From: James Tucker <jftucker () gmail com>
Date: Fri, 17 Dec 2004 02:30:39 +0000

Frankly the ability to bypass any authentication procedure by a series
of button presses is plain bad software design, period.

If you don't believe me, go watch any "hacker film" and see how
Hollywood shows most hackers gaining entry to systems. Sure, sounds
stupid if its not a reality, and just plain scary if it is. Well this
is exactly that, walk up to the console, tappedy tap and your in.
Anyone for tea and biscuits?

I hope some Novell executives felt sick when they heard about this
one, because they really should; I know I wouldn't have maintained my
breakfast after such an announcement.

On the note of remote exploit ability don't rule out the possibility
of exploitation by remote KVM; maybe far fetched but it's not too
unlikely that some idiot somewhere is relying upon that screen saver
as the primal security feature.

If you take the approach that physical security is not important then
you should at least have a system that won't respond to any I/O other
than proper authentication. If your obsessed with physical security
then you still shouldn't ignore the possibility of remote exploitation
(the latter one sounded obvious right, well it should be that obvious
in reverse too). In terms of protecting your data and reliability, the
hacker doesn't care if its physical or virtual, neither does the
computer, and nor will the insurance company or shareholders chasing
down negligence. Security is security no matter what form it comes in
or what it protects, its hard enough to close all the holes now, so
don't deliberately leave any open or neglect any aspects.

At least, that's what I get paid to believe.

On Tue, 14 Dec 2004 15:14:40 -0800, Adam Gray <agray () novacoast com> wrote:
If the screen saver was intended to be bypassed and not to be a security
enhancement they would not have allowed or coded the password feature. I
can only assume that given the password feature was built and coded they
intended it to provide some amount of physical security. Everyone knows
that physical security is easy to bypass. It just is not supposed to be
this easy. If they did not think it was a flaw they would have told me

We too have known about this issue for years. It was in talking to the
product manager that I was encouraged to report it. He thought it should
be something that gets fixed. It is after all a voluntary patch. If you
do not think it is a vulnerability don't apply the patch. There are some
other nice enhancements in the ICSA Compliance kit that may be worth
looking into.

Adam Gray

On Wed, 2004-12-15 at 09:02 +1030, Geoff Vass wrote:
Unpublished Immutable Laws of Security

Number 16: "No matter what the security fault, how exploitable it is or what the workarounds are, there will ALWAYS 
be someone somewhere who will argue strenuously that it's not a fault, doesn't need fixing and couldn't be 
exploited, and furthermore they will seem to be taking it personally."

Number 16(a): "Usually this will be Microsoft."


"In order for a hacker to exploit this, they would need to (and you're not going to believe this): (1) Convince 
someone to click a link in an email message, AND (unbelievable) (2) view a web page with their web browser. See, we 
told you how incredibly stupid this so-called exploit is."

We all know physical security is important, but there's a huge difference between walking up to a machine and 
gaining access with a few keystrokes and ripping the hard disk out and examining in a lab offsite. The former is 
very easy and the latter is very hard. It should NOT be possible to compromise a machine by hacking the screensaver.

Geoff Vass

-----Original Message-----
From: Brad Bendily [mailto:brad () selu edu]
Sent: Wednesday, 15 December 2004 03:31
To: Adam Gray
Cc: full-disclosure () lists netsys com; bugtraq () securityfocus com;
vulnwatch () vulnwatch org
Subject: Re: NetWare Screensaver Authentication Bypass From The Local

As we all know security comes in layers. The only way this exploit will
work is if someone is standing at the server's console. In this way
all servers are subject to vulnerability and I have discovered this
method of hacking servers. Ok, not really. But I can tell you that if I
have access to the server console then I can get access to the box.

This vulnerability is not new, I had to legitimately hack the password
for a couple of my NetWare servers and I did it 3-4 years ago using
this same hack. Preferrably I would rather Novell NOT fix this. It's
a great "just in case" tool.

I think this is a waste of bandwidth.

Brad B.

On Sun, 12 Dec 2004, Adam Gray wrote:

Novacoast Security Advisory
Novell Netware 5/5.1/6.0/6.5 Vulnerability

Novacoast has discovered a vulnerability in the Novell NetWare Operating
System screen saver software. The vulnerability allows a local attacker
to bypass authentication and access the system console.

The Novell Operating System uses the screen saver nlm with lock enabled
to protect access to the console. When the screen saver is locked only a
user in the e-directory tree with supervisor rights to the server object
has the ability to unlock it. It is possible to bypass this
authentication scheme by entering the debugger within NetWare while the
screensaver is running, kill the screensaver process, and resume the
operating system without the screen saver or the access control still

Affected Version:
Novell NetWare 5.1
Novell Netware 6
Novell NetWare 6.5

with the screensaver nlm running and in enable lock mode press alt shift
shift esc. Find the screen saver process in memory. Kill it using the
debugger. If you are not sure how to use the NetWare debugger then just
kill the server with the q key and restart it without the autoexec.ncf
running (server -na) edit the autoexec.ncf to keep the screensaver from
running in the future and restart the server normally. The screen saver
will not start again.

Recommended Solution:
Install the Bordermanager ICSA Compliance kit
    They put the screensaver fix into that patch

This bug has been submitted to, acknowledged by, and a fix has been
created and included with the Bordermanager ICSA Compliance toolkit.

Additional information can be found at the following location:

Novacoast accepts no liability or responsibility for the
content of this report, or for the consequences of any
actions taken on the basis of the information provided
within. Dissemination of this information is granted
provided it is presented in its entirety. Modifications
may not be made without the explicit permission of

Adam Gray
Novacoast, Inc.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]