Novell NetWare 5.1 installs sample applications that allow remote attackers to obtain sensitive information via (1) ndsobj.nlm, (2) allfield.jse, (3) websinfo.bas, (4) ndslogin.pl, (5) volscgi.pl, (6) lancgi.pl, (7) test.jse, or (8) env.pl.
Novell NetWare 5.1 servers are vulnerable to information disclosure attacks through several sample applications, potentially exposing sensitive data like user credentials and network configuration. Successful exploitation allows attackers to gather critical information, enabling further attacks and compromising the network's security. This vulnerability requires immediate attention due to its potential for severe impact.
Step 1: Reconnaissance: The attacker identifies a vulnerable Novell NetWare 5.1 server, likely through port scanning (e.g., port 80 for HTTP) or other reconnaissance techniques.
Step 2: Vulnerability Identification: The attacker identifies the presence of the vulnerable sample applications (ndsobj.nlm, allfield.jse, websinfo.bas, ndslogin.pl, volscgi.pl, lancgi.pl, test.jse, or env.pl) on the server.
Step 3: Payload Delivery: The attacker crafts a specific HTTP request to one of the vulnerable applications. The request is designed to trigger the application to reveal sensitive information.
Step 4: Information Disclosure: The vulnerable application processes the attacker's request and returns the requested sensitive information (e.g., user credentials, network configuration, directory services data) in the response.
Step 5: Post-Exploitation: The attacker uses the gathered information to plan and execute further attacks, such as privilege escalation, lateral movement, or data exfiltration.
The vulnerability stems from the installation of sample applications with inadequate access controls. These applications, written in various scripting languages (NLM, JSE, BAS, Perl), and CGI scripts, lack proper input validation and authorization checks. This allows remote attackers to directly request sensitive information from the server, such as directory services data, environment variables, and network configuration details. The root cause is the insecure design of these sample applications, which were intended for demonstration purposes but were installed by default and accessible without authentication. The lack of proper sanitization of user-supplied input allows attackers to craft specific requests to retrieve sensitive information. The specific flaw lies in the absence of access control mechanisms within the sample applications. The applications are designed to provide information without requiring authentication, making them easily exploitable.