|| || [ISR] || Infobyte Security Research || www.infobyte.com.ar || 03.15.2005 || .:: SUMMARY Novell iChain Administration HTTP Server: - Insecure communication - Reproduce the Session authentication Version: IChain Version v2.3, It is suspected that all previous versions of IChan are vulnerable. .:: BACKGROUND The Novell iChain product provides identity-based web security services that control access to application and network resources across technical and organizational boundaries. http://www.novell.com .:: DESCRIPTION To enter to iChain Proxy Services's administration, we must go to following url: http://10.1.10.1:1959/appliance/config.html The system automatically will redirect us to another service running in the TCP port 2222 This TCP port use the protocol HTTPS (Secure Hyper Text Transfer Protocol) to make a security/encrypt autentication, Specifically to the following url: https://10.1.10.1:2222/ICSLogin/?"http://10.1.10.1:1959/appliance/config.html" This page show us a form in Java, where we need to complete with user and password to verify the authentication. This form will make a POST to the CGI: http://10.1.10.1:2222/BM-Login/capp-cuo With that variables: - causername (username) - capassword (password) - url ( url where we will redirect if the authentication is good) If the username and password is good, this CGI will return html code and a cookie with information like this Name: IPCZQX02 Value: c0a210e1583eca8b673f720dd9035aafc4bb52f6 Path: /Domain: 10.1.10.1 This cookie is used by the same page, that with javascript set the value of cookie (key of Connection) as parameter to a Applet (com.appliance.client.ApplianceConfigureApplet.class that is in the packages client.jar). This Applet is the client of Administration of IChain, when it is loaded in memory, The Applet open a tcp connection with the IChan server (10.1.10.1) to the port 51100 Impact 1: This tcp connection is used for to send and get the information that the client need or send. All this information don't have any method of encriptation. With a simple sniff of this communication, we can get all the configuration for example of LDAP Server (username,password,host,ip). Impact 2: Always that the Applet send a request of information with the connection TCP port 51100, It attaches the key of authentication (cookie). This value is hash encrypt with a username and password, Example of cookie: c0a210---e1583eca8b673f720dd9035aaf---c4bb52f6 (real without "---") Descriptation: An iChain cookie value has 3 parts. - The first part is a hash index, generated by iChain during authentication, to the IA cookie hash table. - The second part(checksum) is a randomly generated unsigned LONG value(32 bits) that uniquely identifies a user after he is successfully authenticated. - The third part is stores the source ID of an iChain that generates the cookie (hence is always the same if you have one iChain server). The entire cookie value(i.e.these 3 parts) is then encoded before it is sent on the wire. We can make a process of sniff, to get the key of connection (cookie), after, we will create a html source with the client applet to administrate the IChan, we need set the parameter cookie with the value that we had sniff. In webserver that we will copy this html create a nat that redirect all the traffic tcp source 51100 to the real tcp port 51100 of the server IChain. After when we browser this web, the connection will be reproduce with the same privileges of the user sniffit. .:: VENDOR RESPONSE Vendor advisory: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096885.htm .:: DISCLOSURE TIMELINE 03/04/2005 Initial vendor notification 03/05/2005 Initial vendor response 03/10/2005 Public disclosure .:: CREDIT Francisco Amato is credited with discovering this vulnerability. famato][at][infobyte][dot][com][dot][ar .:: LEGAL NOTICES Copyright (c) 2005 by [ISR] Infobyte Security Research. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Infobyte Security Research Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from infobyte com ar Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.