[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Bypassing Inherited Rights Filters in Novell Directory Services

Title: Bypassing Inherited Rights Filters in Novell Directory Services
Released by: Foghorn
Date: 7th September 2000
Printable version: Click here
                             FOGHORN SECURITY ADVISORY


                                 September 7, 2000


          Bypassing Inherited Rights Filters in Novell Directory Services.


A design weakness in NDS as shipped with Novell v5.0 and later

can allow certain users to bypass IRF's, and gain escalation of privileges.


Serious.  Even in a well designed tree IRF's are sometimes needed to protect

more sensitive objects.  This issue, if not carefully considered, can easily

render IRF's ineffective, and expose sensitive information.


In NDS, rights are assigned in three ways:

Rights to an object [Object Rights]

Rights to all properties of an object [All Properties Rights]

Rights to selected properties of an object [Selected Properties Rights]

By default, rights granted at one level of a directory tree automatically

flow down to lower levels in the tree.  This inheritance of rights can be

blocked by using Inherited Rights Filters [IRFs].  IRFs can be set for

any of the three types of rights mentioned above.


In previous versions of NDS, only Object Rights, and All Properties Rights

could be inherited.  In Netware 5.0, Novell added the ability to make

Selected Property Rights inheritable.  These rights are not blocked by

IRFs set for Object Rights or All Properties Rights.  They can only be

blocked by the creation of an explicit IRF for each property you need to


Obviously, this is unworkable in the real world.  Setting individual IRFs

for every property in the schema is tedious and prone to error, and it is

extremely difficult to anticipate all possible exploits for all properties.

Additionally, if the schema is extended, the new properties would be

unprotected until IRFs were updated.

This also presents a problem for sites upgrading from Novell 4.11.  If this

issue is not addressed in the upgrade process, IRF's which were previously

valid, could be rendered ineffective.


Active exploitation of this feature requires Write rights to the Object

Trustees ACL property of a container at or above the level of the object being


Here's an example. An administrator, .BOB.ACME, has Supervisor [S] rights to

the .ACME container. There is a container, .SECRET.ACME, which BOB should not

have any access to.

Joe, .JOE.SECRET.ACME, is the administrator of .SECRET.ACME.  Joe has

been given S rights to SECRET, and an IRF has been put in place on SECRET

blocking all Object Rights, and all All Properties Rights.  This scenario is in

line with standard practice, and Novell's own documentation [See TID# 10011973]

Unfortunately, Bob can still gain full control of secret.

1] Bob modifies the trustees list of .ACME granting himself the Write [W]

right to the Object Trustees ACL property and designates this right as


2] Since Selected Properties Rights are not explictly blocked by the IRF

at .SECRET.ACME, Bob can now add himself to the trustee list of the

SECRET container and obtain full privileges.


In addition to active exploits, this issue could result in administrators

inadvertently granting rights to objects they believe to be protected by IRF's.

For instance, Help Desk staff may be granted password reset rights by granting

Selected Properties Rights at a high level in the tree, and making those rights

inheritable.  Those rights can only be blocked with an explicit Selected

Properties IRF at the containers or objects you need protected.


It is impossible to anticipate all the scenarios where this *feature*

could be exploited.  Administrators should carefully evaluate their tree

and permission structures with this problem in mind.

At a minimum, where IRFs are used to protect objects or containers, the

following properties should be protected by explicit IRFs:

Object Trustees [ACL]


Security Equal to Me

Password Required

Password Management

Incorrect Login Attempts

There are certainly others that would need to be protected as well.

Finding additional exploits is left as an exercise for the reader.

[Hint: Audit Objects]


We believe that Novell should either,

a) Make IRFs set for All Properties Rights apply to Selected Properties

   Rights as well


b) Provide a method whereby all Selected Properties Rights could be

filtered with a single IRF.


This is a classic example of adding functionality without fully considering the

implications.  While we do not consider this to be a *bug*, it is clearly a

poorly designed *feature*.  We could not find any reference to this on Novell's

support website.  In fact, as referenced above, Novell's own documentation

[TID# 10011973 - last updated on June 29, 2000] does not address this issue.

In that document, they answer the question, "How do I create an admin for a

container that cuts off the main admin?"  They do not specify the filtering of

Selected Properties Rights, and thus leave readers open to this vulnerability.

Safe Computing,

-FogHorn Security Staff

(C) 1999-2000 All rights reserved.