Novell Home

My Favorites

Close

Please to see your favorites.

Security vulnerability: Can administor an iChain server without requiring to insert credentials

(Last modified: 26May2005)

This document (10096885) is provided subject to the disclaimer at the end of this document.

fact

iChain 2.3

iChain 2.2

iChain 2.2 Support Pack 3 applied (ic22sp3.exe)

iChain 2.3 Support Pack 2 applied (ic23sp2.exe)

iChain 2.3 build 269 applied (ic23fp3.exe)

Using GUI to administor iChain

Access to local physical network needed

Administrator currently connected to iChain GUI with valid cookie

symptom

Security vulnerability: Can administor an iChain server without requiring to insert credentials

Can hijack an existing iChain administration session

Can manage an iChain server without any password

Insecure Web communication between iChain server and browser over TCP port 51100

Cannot send iChain GUI information to iChain server securely

Can replay authentication session to iChain Web management port (tcp 51100)

fix

Fixed in iChain 2.3 builds 2.3.278 (ic23sp2ir1.exe) and later. This patch includes updated JAR files that use a secure channel for all communication with the iChain GUI.

Without the patch applied, it is possible to hijack an existing session by doing the following:

1. Sniff the communication between a client and the tcp port 51100 of the server iChain. This will require physical access to the administrator or iChain network so that promiscuous mode drivers on the hijacker workstation can pick up all data being transmitted on TCP port 51100 (GUI application) going to the iChain server.

If there is a switched network in place, then the only way a hijacker could access physical data on the network from other devices would be through port replication on the switch.

2. get the value of authentication cookie set on the browser workstation. The cookie name is PCZQX02 and typically has a 24 byte value that follows i eg. bd197c565a47c66fb8b3400ca39d76cd4520c772. This 24 byte value includes a key into the hashed authentication table, a checksum and an ID associated with the iChain server that set the cookie.

3. Run the iChain class files on a Web server. Ideally one will have a HTML page that it can add the cookie from step 2 above, or pass the cookie as a parameter.

4. On the webserver, create a nat that redirects all the local traffic on tcp source 51100 to the real tcp port 51100 of the iChain server. This can be done using iptables on Linux for example where we use the DNAT target to redirect the traffic going to the loopback (or Web server IP address) to the IP address of the iChain server

6. browser to the iChain java files on the Web server with the cookie from an existing session to the GUI (sniffed in step 1) and confirm that you can administor the iChain server without entering any passowrd.

note

Thanks to Francisco Amato for notifying Novell of this issue.

Francisco Amato
Infobyte Security Research
www.infobyte.com.ar

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

  • Document ID:
  • 10096885
  • Solution ID: NOVL101283
  • Creation Date: 08Mar2005
  • Modified Date: 26May2005
    • NetIQiChain

Did this document solve your problem? Provide Feedback