Novell iChain Adm HTTP Server Insecure communication & Reproduce the Session authentication


.:: SUMMARY

Novell iChain Administration HTTP Server:
- Insecure communication 
- Reproduce the Session authentication

Version: IChain Version v2.3, It is suspected that all previous versions of IChain
are vulnerable.

.:: BACKGROUND

The Novell iChain product provides identity-based web security
services that control access to application and network resources
across technical and organizational boundaries.

    http://www.novell.com

.:: DESCRIPTION

To enter to iChain Proxy Services's administration, 
we must go to following url:

http://10.1.10.1:1959/appliance/config.html

The system automatically will redirect us to another service running in the TCP port 2222
This TCP port use the protocol HTTPS (Secure Hyper Text Transfer Protocol) to make a security/encrypt 
autentication, Specifically to the following url:

https://10.1.10.1:2222/ICSLogin/?"http://10.1.10.1:1959/appliance/config.html"

This page show us a form in Java, where we need to complete with user and password to verify
the authentication.

This form will make a POST to the CGI:

http://10.1.10.1:2222/BM-Login/capp-cuo


With that variables:  -   causername (username)
                    - capassword (password)
      - url ( url where we will redirect if the authentication is good)

If the username and password is good, this CGI will return html code and a cookie with information like this

Name: IPCZQX02
Value: c0a210e1583eca8b673f720dd9035aafc4bb52f6
Path: /Domain: 10.1.10.1

This cookie is used by the same page, that with javascript set the value of cookie (key of Connection)
as parameter to a Applet 
(com.appliance.client.ApplianceConfigureApplet.class that is in the packages client.jar).

This Applet is the client of Administration of IChain, when it is loaded in memory, The Applet open a tcp
connection with the IChan server (10.1.10.1) to the port 51100

Impact 1:
This tcp connection is used for to send and get the information that the client need or send.
All this information don't have any method of encriptation.

With a simple sniff of this communication, we can get all the configuration for example
of LDAP Server (username,password,host,ip).

Impact 2:

Always that the Applet send a request of information with the connection TCP port 51100,
It attaches the key of authentication (cookie).

This value is hash encrypt with a username and password,

Example of cookie:
c0a210---e1583eca8b673f720dd9035aaf---c4bb52f6 (real without "---")

Descriptation:

An iChain cookie value has 3 parts. 
- The first part is a hash index, generated
by iChain during authentication, to the IA cookie hash table. 
- The second part(checksum) is a randomly generated unsigned LONG value(32 bits) that
uniquely identifies a user after he is successfully authenticated. 
- The third part is stores the source ID of an iChain that generates the cookie (hence is
always the same if you have one iChain server). 
The entire cookie value(i.e.these 3 parts) is then encoded  before it is sent on the wire.

We can make a process of sniff, to get the key of connection (cookie), after, we will create a html 
source with the client applet to administrate the IChan, we need set the parameter cookie with
the value that we had sniff.

In webserver that we will copy this html create a nat that redirect  all the traffic tcp source 51100 to
the real tcp port 51100 of the server IChain.

After when we browser this web, the connection will be reproduce with the same privileges of the user sniffit.

.:: WORKAROUND

[ISR] Infobyte Security Research is currently unaware of any effective workarounds for this 
vulnerability.

.:: VENDOR RESPONSE

Vendor advisory:
    http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096885.htm
      
.:: DISCLOSURE TIMELINE

03/04/2005  Initial vendor notification
03/05/2005  Initial vendor response
03/10/2005  Public disclosure

.:: CREDIT

Francisco Amato is credited with discovering this vulnerability.
famato][at][infobyte][dot][com][dot][ar

.:: LEGAL NOTICES

Copyright (c) 2005 by [ISR] Infobyte Security Research.
Permission to redistribute this alert electronically is granted as long as it is not 
edited in any way unless authorized by Infobyte Security Research Response. 
Reprinting the whole or part of this alert in any medium other than electronically 
requires permission from infobyte com ar

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing 
based on currently available information. Use of the information constitutes acceptance 
for use in an AS IS condition. There are no warranties with regard to this information. 
Neither the author nor the publisher accepts any liability for any direct, indirect, or 
consequential loss or damage arising from use of, or reliance on, this information.
Post a Comment
Thanks for your comment