From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 17 Mar 2005 19:12:00 +0200
Subject: [NEWS] Novell's iChain FTP Brute Forcing, Path Disclosure and Insecure HTTP Communication Vulnerabilities
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050317172502.BAD445800@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
X-Spam-Status: No, hits=2.114 tagged_above=2 required=5 tests=AWL,
MSGID_FROM_MTA_ID, NORMAL_HTTP_TO_IP, WEIRD_PORT
X-Spam-Level: **
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Novell's iChain FTP Brute Forcing, Path Disclosure and Insecure HTTP
Communication Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.novell.com/products/ichain/>; Novell iChain "provides
identity-based web security services that control access to application
and network resources across technical and organizational boundaries, as
one Net. The Novell iChain product provides identity-based web security
services that control access to application and network resources across
technical and organizational boundaries".
The following vulnerabilities was recently discovered in Novell iChain
product: FTP Bruteforce Vulnerability, Remote Path Disclosure and Insecure
HTTP Communication.
DETAILS
Vulnerable Systems:
* iChain Administration version 2.3
Vulnerabilities in iChain Mini FTP Server:
Novell iChain Mini FTP Server does not limit number of invalid logins,
what means no intruder detection performed and allows a brute force
attack.
Novell iChain Mini FTP Server permit execute the PWD command without an
authentication.
Example:
Connected to 10.1.10.1.
Escape character is '^]'.
220 Service Ready
PWD
257 "SYS:/ETC/PROXY/APPLIANCE/CONFIG/USER" is the current directory
Novell iChain Mini FTP Server inform when a provided username is invalid
or not.
Example:
Trying 10.1.10.1...
Connected to 10.1.10.1.
Escape character is '^]'.
220 Service Ready
user test
530 Invalid user name
user config
331 User name Okay, need password
Insecure connection authentication iChain HTTP Server:
To enter to iChain Proxy Services' administration, the user must go to
following URL:
http://example.com:1959/appliance/config.html
The system automatically will then redirect us to another service running
in the TCP port 2222. This TCP port uses the HTTPS protocol to make the
authentication process, specifically to the following URL:
https://10.1.10.1:2222/ICSLogin/?"http://10.1.10.1:1959/appliance/config.html
This page show us a Java form, where we need to provide it with a username
and a password to, the form will then make a POST to the following CGI
(NOTE: The CGI is accessed via an insecure HTTP connection):
http://10.1.10.1:2222/BM-Login/capp-cuo
With the variables:
* causername - The provided username
* capassword - The provided password
* url - The URL where the user is redirected once the authentication
process has ended
If the username/password combination is valid, this CGI will return HTML
code and a cookie with information:
Name: IPCZQX02
Value: c0a210e1583eca8b673f720dd9035aafc4bb52f6
Path: /Domain: 10.1.10.1
This cookie is used by the same page to provide it as a value to the Java
Applet (ApplianceConfigureApplet.class in package client.jar) that allows
us to administrate iChain.
The Applet opens a TCP connection with the iChan server's (10.1.10.1) port
51100. This TCP connection is used to send and get information that the
client sends or requests. All of this information is not encrypted in any
way.
With a simple sniffer we can get all the traffic traveling between the
administrator and the iChain product.
Vendor Status:
Vendor has been notified and has chosen to publish the following
advisories:
<http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096885.htm>;
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096885.htm
<http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096886.htm>;
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096886.htm
<http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096887.htm>;
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096887.htm
Disclosure Timeline:
* 03.04.05 - Initial vendor notification.
* 03.05.05 - Initial vendor response.
* 03.10.05 - Public disclosure.
ADDITIONAL INFORMATION
The information has been provided by <mailto:famato@infobyte.com.ar.>
Francisco Amato.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
