[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    Re: IPX vulnerabilities in NT, any?
From:       thegnome () NMRC ! ORG
Date:       1997-12-01 14:30:30
[Download RAW message or body]

> > It's been said alot of TCP/IP vuln. in NT network interface, but are
> > there any IPX/SPX ones? I looked through whole NTBUGTRAQ ML. but didn't
> > find any reference.. can't believe NT is built safe enough here. Even
> > Novell has alot of bugs, even though IPX is its native protocol. How
> > about NT?
>
> Not sure what you're asking here.  God knows, I'm not a fan of NetWare, but
> if there are serious security bugs in IPX/SPX, will admit to having missed
> them.  They sure don't show up on any of the FIRST Web pages.  About the only
> vulnerability I'm aware of was documented by the good folks at L0pht Heavy
> Industries.  (See http://www.L0pht.com/advisories/nw3xmail.txt).  This only
> affects Novell 3.X and probably is more of a design flaw than a bug.  Pains
> me to say it, but IPX/SPX looks about as rock solid as a networking protocol
> can get.
>
> That said, my experience with NT's implementation of IPX/SPX suggests that it
> will be bug-for-bug compatible with whatever Novell is pushing these days.
> Again, it pains me to say it, but Microsoft appears to me to have done an
> excellent job with their NT/NetWare migration kit.  As you noted, just wish
> MS had paid a little more attention to the details in the design of their IP
> stack.
>
> If I've overlooked something with IPX/SPX, will be all too happy to eat crow.
> That will make life all the more interesting for a couple of friends I've
> introduced to this list. :-)

IPX/SPX is very similiar to TCP/IP. There existed a spoofing problem
years ago that resulted in packet signature being introduced a few
years back. However, the packet signing does not start until the user
is logged in. Greg Miller (greg.miller@usa.net) has done a lot of
research into this, including several man-in-the-middle exploits and
a zero knowledge exploit. These exploits are in the Netware Hack FAQ
at http://www.nmrc.org/faqs/netware/ along with a host of other bugs.

I personally have developed a group of utilities called Pandora which
do for Netware 4.x what pwdump and L0phtCrack did for NT. Netware
seems to suffer from the same problem NT has -- vulnerabilities due
to backwards compatibility.

I think the only thing NT shops have to worry about is the weak link
in the chain -- whatever platform is unpatched is vulnerable, and in
this push toward "single signon" an attacker will attack the easiest
target, particularly when users tend to use the same passwords
platform to platform anyway. Once in, ALL platforms are vulnerable.

So how many shops use the same (or very similiar) passwords for NT's
Administrator account and Netware's Admin? Anyone? Anyone?

[prev in list] [next in list] [prev in thread] [next in thread]