exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ISR-ichainInsecure.txt

ISR-ichainInsecure.txt
Posted Mar 22, 2005
Authored by Francisco Amato | Site infobyte.com.ar

Infobyte Security Research - Novell iChain Mini FTP Server version 2.3 fails to securely pass credentials.

tags | advisory
SHA-256 | fec0d8c4d7f6ee1dcdea2167477ddacf854d314ce3a9d14fcc8a6e7dd66da471

ISR-ichainInsecure.txt

Change Mirror Download
||
|| [ISR]
|| Infobyte Security Research
|| www.infobyte.com.ar
|| 03.15.2005
||


.:: SUMMARY

Novell iChain Administration HTTP Server:
- Insecure communication
- Reproduce the Session authentication

Version: IChain Version v2.3, It is suspected that all previous versions of
IChan
are vulnerable.

.:: BACKGROUND

The Novell iChain product provides identity-based web security
services that control access to application and network resources
across technical and organizational boundaries.

https://www.novell.com

.:: DESCRIPTION

To enter to iChain Proxy Services's administration,
we must go to following url:

https://10.1.10.1:1959/appliance/config.html

The system automatically will redirect us to another service running in the
TCP port 2222
This TCP port use the protocol HTTPS (Secure Hyper Text Transfer Protocol)
to make a security/encrypt
autentication, Specifically to the following url:

https://10.1.10.1:2222/ICSLogin/?"https://10.1.10.1:1959/appliance/config.html"

This page show us a form in Java, where we need to complete with user and
password to verify
the authentication.

This form will make a POST to the CGI:

https://10.1.10.1:2222/BM-Login/capp-cuo


With that variables: - causername (username)
- capassword (password)
- url ( url where we will redirect if the authentication is good)

If the username and password is good, this CGI will return html code and a
cookie with information like this

Name: IPCZQX02
Value: c0a210e1583eca8b673f720dd9035aafc4bb52f6
Path: /Domain: 10.1.10.1

This cookie is used by the same page, that with javascript set the value of
cookie (key of Connection)
as parameter to a Applet
(com.appliance.client.ApplianceConfigureApplet.class that is in the packages
client.jar).

This Applet is the client of Administration of IChain, when it is loaded in
memory, The Applet open a tcp
connection with the IChan server (10.1.10.1) to the port 51100

Impact 1:
This tcp connection is used for to send and get the information that the
client need or send.
All this information don't have any method of encriptation.

With a simple sniff of this communication, we can get all the configuration
for example
of LDAP Server (username,password,host,ip).

Impact 2:

Always that the Applet send a request of information with the connection TCP
port 51100,
It attaches the key of authentication (cookie).

This value is hash encrypt with a username and password,

Example of cookie:
c0a210---e1583eca8b673f720dd9035aaf---c4bb52f6 (real without "---")

Descriptation:

An iChain cookie value has 3 parts.
- The first part is a hash index, generated
by iChain during authentication, to the IA cookie hash table.
- The second part(checksum) is a randomly generated unsigned LONG value(32
bits) that
uniquely identifies a user after he is successfully authenticated.
- The third part is stores the source ID of an iChain that generates the
cookie (hence is
always the same if you have one iChain server).
The entire cookie value(i.e.these 3 parts) is then encoded before it is
sent on the wire.

We can make a process of sniff, to get the key of connection (cookie),
after, we will create a html
source with the client applet to administrate the IChan, we need set the
parameter cookie with
the value that we had sniff.

In webserver that we will copy this html create a nat that redirect all the
traffic tcp source 51100 to
the real tcp port 51100 of the server IChain.

After when we browser this web, the connection will be reproduce with the
same privileges of the user sniffit.

.:: VENDOR RESPONSE

Vendor advisory:
https://support.novell.com/cgi-bin/search/searchtid.cgi?/10096885.htm

.:: DISCLOSURE TIMELINE

03/04/2005 Initial vendor notification
03/05/2005 Initial vendor response
03/10/2005 Public disclosure

.:: CREDIT

Francisco Amato is credited with discovering this vulnerability.
famato][at][infobyte][dot][com][dot][ar

.:: LEGAL NOTICES

Copyright (c) 2005 by [ISR] Infobyte Security Research.
Permission to redistribute this alert electronically is granted as long as
it is not
edited in any way unless authorized by Infobyte Security Research Response.
Reprinting the whole or part of this alert in any medium other than
electronically
requires permission from infobyte com ar

Disclaimer
The information in the advisory is believed to be accurate at the time of
publishing
based on currently available information. Use of the information constitutes
acceptance
for use in an AS IS condition. There are no warranties with regard to this
information.
Neither the author nor the publisher accepts any liability for any direct,
indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close