[Full-Disclosure] Buffer Overflows in Novell iChain Authentication

From: Axel Dunkel (security_at_Dunkel.de)
Date: 06/07/03

  • Next message: mattmurphy_at_kc.rr.com: "[Full-Disclosure] Apache 2.x APR Exploit Code"
    To: full-disclosure@lists.netsys.com
    Date: 7 Jun 2003 23:00:59 +0200
    
    

    -----BEGIN PGP SIGNED MESSAGE-----

    Dunkel Advisory: NoviChain-1
    Summary : Buffer Overflows in Novell iChain Authentication
    Product

    Date : 2003 May 15, 12:00 GMT
    Release date : 2003 Jun 05, 12:00 GMT
    Revision : 1.0

    ********************************************************************
    *** SUMMARY
    ********************************************************************

    The Novell iChain product provides identity-based web security
    services that control access to application and network resources
    across technical and organizational boundaries.

    Buffer overflows allow users without authenticating to crash the
    iChain Server. Due to the nature of the overflow it is likely that
    this can lead to remote administrative access to the server and thus
    full access to the protected networks.

    ********************************************************************
    *** Affected products
    ********************************************************************

    Affected products:
      Novell iChain Server 2.1 SP2
      Novell iChain Server 2.2
      Novell iChain Server 2.2 incl. Field Patch 1 (see details)

    ********************************************************************
    *** Details
    ********************************************************************

    The length of the username is only restricted by the SIZE parameter
    in the HTML forms but not in the iChain proxy itself. This can be
    exploited easily by sending a overly long username in the
    authentication dialog which causes the iChain Server to abend (freeze).

    In iChain 2.2 Field Patch 1 the username has to be at the end of the
    POST parameter list otherwise iChain only prompts with a message
    stating missing parameters.

    Allthough we are not aware of any exploits in the wild it seems sure
    that this is being used to gain access in any targeted attack since
    this vulnerability can be found and exploited easily.

    ********************************************************************
    *** Fixes & Workarounds
    ********************************************************************

    Currently no fixes or workarounds are known.

    ********************************************************************
    *** Distribution
    ********************************************************************

    Dunkel GmbH, http://www.Dunkel.de/ , security@Dunkel.de
    This notice may be redistributed freely after the release date given
    at the top of the text, provided that redistributed copies are
    complete and unmodified, and include complete origin information.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG

    iQCVAwUBPsk+lEzf+gLrqrKRAQF4PgP6A+MSgJCnixWPMAMgLs154UL0Ns88bqkY
    qnE7m2HrInpmzA/OuLrWLZ8fWcifO/8s6s41voY8hhQF0owwAxxT7Nm8822J1lmh
    UtexUSlT5GDuzdBNLba7psu+pKaagM29XQ3PxLXi3TZRwhso/bpc07jW6Sg3Dca3
    eqWIc4BByWU=
    =KL8E
    -----END PGP SIGNATURE-----

    ---
    Systemberatung A. Dunkel GmbH, Gutenbergstr. 5, D-65830 Kriftel
    Tel.: +49-6192-9988-0, Fax: +49-6192-9988-99,   E-Mail: ad@Dunkel.de
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: mattmurphy_at_kc.rr.com: "[Full-Disclosure] Apache 2.x APR Exploit Code"

    Relevant Pages

    • [Full-Disclosure] Buffer Overflows in Novell iChain (Patches available)
      ... The Novell iChain product provides identity-based web security ... services that control access to application and network resources ... Novell iChain Server 2.1 SP2 ...
      (Full-Disclosure)
    • [NEWS] Buffer Overflows in Novell iChain Authentication
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... techniques from a world-class research group. ... The Novell iChain product provides identity-based web security services ... * Novell iChain Server 2.1 SP2 ...
      (Securiteam)