[Full-Disclosure] Buffer Overflows in Novell iChain (Patches available)
From: Axel Dunkel (security_at_Dunkel.de)
Date: 06/09/03
- Previous message: Andreas Gietl: "Re: [Full-Disclosure] Security Vulnerability Reporting and Response Process"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: 9 Jun 2003 15:17:36 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Dunkel Advisory: NoviChain-1
Summary : Buffer Overflows in Novell iChain Authentication
Product
Date : 2003 May 15, 12:00 GMT
Release date : 2003 Jun 05, 12:00 GMT
Last change : 2003 Jun 06, 17:42 GMT
Revision : 1.1
********************************************************************
*** SUMMARY
********************************************************************
The Novell iChain product provides identity-based web security
services that control access to application and network resources
across technical and organizational boundaries.
Buffer overflows allow users without authenticating to crash the
iChain Server. Due to the nature of the overflow it is likely that
this can lead to remote administrative access to the server and thus
full access to the protected networks.
********************************************************************
*** Affected products
********************************************************************
Affected products:
Novell iChain Server 2.1 SP2
Novell iChain Server 2.2
Novell iChain Server 2.2 incl. Field Patch 1 (see details)
********************************************************************
*** Details
********************************************************************
The length of the username is only restricted by the SIZE parameter
in the HTML forms but not in the iChain proxy itself. This can be
exploited easily by sending a overly long username in the
authentication dialog which causes the iChain Server to abend (freeze).
In iChain 2.2 Field Patch 1 the username has to be at the end of the
POST parameter list otherwise iChain only prompts with a message
stating missing parameters.
Allthough we are not aware of any exploits in the wild it seems sure
that this is being used to gain access in any targeted attack since
this vulnerability can be found and exploited easily.
********************************************************************
*** Fixes & Workarounds
********************************************************************
Novell developed patches ic22fp1a.exe (for iChain 2.2) and
ic21fp3.exe (for iChain 2.1), available today on Novell's support
Web site at http://support.novell.com/filefinder.
********************************************************************
*** Distribution
********************************************************************
Dunkel GmbH, http://www.Dunkel.de/ , security@Dunkel.de
This notice may be redistributed freely after the release date given
at the top of the text, provided that redistributed copies are
complete and unmodified, and include complete origin information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG
iQCVAwUBPuDT9Uzf+gLrqrKRAQGc9AQAkdqnANhG7DdxTsDAgyBr2mISZR40lh6V
Ake+1Aow2LxvJZIAYHVykKbddwEs8rA84HhiwU3cEPIr3HyB9RQrFmbKCtKhINf9
EhKatkJvd0WJk2yTau9z5igd+AI0V8hYwbEQo7sEWqrNrPAgfY5na2U09+xbQf/T
vJY9lhlYzyU=
=usFu
-----END PGP SIGNATURE-----
--- Systemberatung A. Dunkel GmbH, Gutenbergstr. 5, D-65830 Kriftel Tel.: +49-6192-9988-0, Fax: +49-6192-9988-99, E-Mail: ad@Dunkel.de _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Andreas Gietl: "Re: [Full-Disclosure] Security Vulnerability Reporting and Response Process"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
