From: "Francisco Amato" <famato@infobyte.com.ar.>
To: <bugtraq@securityfocus.com.>
Subject: [ISR] Insecure communication and Reproduce the Session authentication
Date: Tue, 15 Mar 2005 14:19:50 -0300
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-Virus-Scanned: antivirus-gw at tyumen.ru
||
|| [ISR]
|| Infobyte Security Research
|| www.infobyte.com.ar
|| 03.15.2005
||
.:: SUMMARY
Novell iChain Administration HTTP Server:
- Insecure communication
- Reproduce the Session authentication
Version: IChain Version v2.3, It is suspected that all previous versions of
IChan
are vulnerable.
.:: BACKGROUND
The Novell iChain product provides identity-based web security
services that control access to application and network resources
across technical and organizational boundaries.
http://www.novell.com
.:: DESCRIPTION
To enter to iChain Proxy Services's administration,
we must go to following url:
http://10.1.10.1:1959/appliance/config.html
The system automatically will redirect us to another service running in the
TCP port 2222
This TCP port use the protocol HTTPS (Secure Hyper Text Transfer Protocol)
to make a security/encrypt
autentication, Specifically to the following url:
https://10.1.10.1:2222/ICSLogin/?"http://10.1.10.1:1959/appliance/config.html"
This page show us a form in Java, where we need to complete with user and
password to verify
the authentication.
This form will make a POST to the CGI:
http://10.1.10.1:2222/BM-Login/capp-cuo
With that variables: - causername (username)
- capassword (password)
- url ( url where we will redirect if the authentication is good)
If the username and password is good, this CGI will return html code and a
cookie with information like this
Name: IPCZQX02
Value: c0a210e1583eca8b673f720dd9035aafc4bb52f6
Path: /Domain: 10.1.10.1
This cookie is used by the same page, that with javascript set the value of
cookie (key of Connection)
as parameter to a Applet
(com.appliance.client.ApplianceConfigureApplet.class that is in the packages
client.jar).
This Applet is the client of Administration of IChain, when it is loaded in
memory, The Applet open a tcp
connection with the IChan server (10.1.10.1) to the port 51100
Impact 1:
This tcp connection is used for to send and get the information that the
client need or send.
All this information don't have any method of encriptation.
With a simple sniff of this communication, we can get all the configuration
for example
of LDAP Server (username,password,host,ip).
Impact 2:
Always that the Applet send a request of information with the connection TCP
port 51100,
It attaches the key of authentication (cookie).
This value is hash encrypt with a username and password,
Example of cookie:
c0a210---e1583eca8b673f720dd9035aaf---c4bb52f6 (real without "---")
Descriptation:
An iChain cookie value has 3 parts.
- The first part is a hash index, generated
by iChain during authentication, to the IA cookie hash table.
- The second part(checksum) is a randomly generated unsigned LONG value(32
bits) that
uniquely identifies a user after he is successfully authenticated.
- The third part is stores the source ID of an iChain that generates the
cookie (hence is
always the same if you have one iChain server).
The entire cookie value(i.e.these 3 parts) is then encoded before it is
sent on the wire.
We can make a process of sniff, to get the key of connection (cookie),
after, we will create a html
source with the client applet to administrate the IChan, we need set the
parameter cookie with
the value that we had sniff.
In webserver that we will copy this html create a nat that redirect all the
traffic tcp source 51100 to
the real tcp port 51100 of the server IChain.
After when we browser this web, the connection will be reproduce with the
same privileges of the user sniffit.
.:: VENDOR RESPONSE
Vendor advisory:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096885.htm
.:: DISCLOSURE TIMELINE
03/04/2005 Initial vendor notification
03/05/2005 Initial vendor response
03/10/2005 Public disclosure
.:: CREDIT
Francisco Amato is credited with discovering this vulnerability.
famato][at][infobyte][dot][com][dot][ar
.:: LEGAL NOTICES
Copyright (c) 2005 by [ISR] Infobyte Security Research.
Permission to redistribute this alert electronically is granted as long as
it is not
edited in any way unless authorized by Infobyte Security Research Response.
Reprinting the whole or part of this alert in any medium other than
electronically
requires permission from infobyte com ar
Disclaimer
The information in the advisory is believed to be accurate at the time of
publishing
based on currently available information. Use of the information constitutes
acceptance
for use in an AS IS condition. There are no warranties with regard to this
information.
Neither the author nor the publisher accepts any liability for any direct,
indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.