[NEWS] Novell's iChain FTP Brute Forcing, Path Disclosure and Insecure HTTP Communication Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 03/17/05

  • Next message: SecuriTeam: "[UNIX] LuxMan '-f' Option Buffer Overflow"
    To: list@securiteam.com
    Date: 17 Mar 2005 19:12:00 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Novell's iChain FTP Brute Forcing, Path Disclosure and Insecure HTTP
    Communication Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.novell.com/products/ichain/> Novell iChain "provides
    identity-based web security services that control access to application
    and network resources across technical and organizational boundaries, as
    one Net. The Novell iChain product provides identity-based web security
    services that control access to application and network resources across
    technical and organizational boundaries".

    The following vulnerabilities was recently discovered in Novell iChain
    product: FTP Bruteforce Vulnerability, Remote Path Disclosure and Insecure
    HTTP Communication.

    DETAILS

    Vulnerable Systems:
     * iChain Administration version 2.3

    Vulnerabilities in iChain Mini FTP Server:
    Novell iChain Mini FTP Server does not limit number of invalid logins,
    what means no intruder detection performed and allows a brute force
    attack.

    Novell iChain Mini FTP Server permit execute the PWD command without an
    authentication.

    Example:
    Connected to 10.1.10.1.
    Escape character is '^]'.
    220 Service Ready
    PWD
    257 "SYS:/ETC/PROXY/APPLIANCE/CONFIG/USER" is the current directory

    Novell iChain Mini FTP Server inform when a provided username is invalid
    or not.

    Example:
    Trying 10.1.10.1...
    Connected to 10.1.10.1.
    Escape character is '^]'.
    220 Service Ready
    user test
    530 Invalid user name
    user config
    331 User name Okay, need password

    Insecure connection authentication iChain HTTP Server:
    To enter to iChain Proxy Services' administration, the user must go to
    following URL:
    http://example.com:1959/appliance/config.html

    The system automatically will then redirect us to another service running
    in the TCP port 2222. This TCP port uses the HTTPS protocol to make the
    authentication process, specifically to the following URL:
    https://10.1.10.1:2222/ICSLogin/?"http://10.1.10.1:1959/appliance/config.html

    This page show us a Java form, where we need to provide it with a username
    and a password to, the form will then make a POST to the following CGI
    (NOTE: The CGI is accessed via an insecure HTTP connection):
    http://10.1.10.1:2222/BM-Login/capp-cuo

    With the variables:
     * causername - The provided username
     * capassword - The provided password
     * url - The URL where the user is redirected once the authentication
    process has ended

    If the username/password combination is valid, this CGI will return HTML
    code and a cookie with information:
    Name: IPCZQX02
    Value: c0a210e1583eca8b673f720dd9035aafc4bb52f6
    Path: /Domain: 10.1.10.1

    This cookie is used by the same page to provide it as a value to the Java
    Applet (ApplianceConfigureApplet.class in package client.jar) that allows
    us to administrate iChain.

    The Applet opens a TCP connection with the iChan server's (10.1.10.1) port
    51100. This TCP connection is used to send and get information that the
    client sends or requests. All of this information is not encrypted in any
    way.

    With a simple sniffer we can get all the traffic traveling between the
    administrator and the iChain product.

    Vendor Status:
    Vendor has been notified and has chosen to publish the following
    advisories:
     <http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096885.htm>
    http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096885.htm
     <http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096886.htm>
    http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096886.htm
     <http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096887.htm>
    http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096887.htm

    Disclosure Timeline:
     * 03.04.05 - Initial vendor notification.
     * 03.05.05 - Initial vendor response.
     * 03.10.05 - Public disclosure.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:famato@infobyte.com.ar>
    Francisco Amato.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] LuxMan '-f' Option Buffer Overflow"

    Relevant Pages

    • [NEWS] eSeSIX Thintune Thin Client Multiple Vulnerabilities
      ... Get your security news from a reliable source. ... All Linux-based Thintune models with firmware version 2.4.38 and prior ... REMOTE ROOT SHELL / BACKDOOR ... ica con_0_10 - password for first ICA connection ...
      (Securiteam)
    • Re: Please, dont kill my WiFi!
      ... potentially bypassing whatever security is at the periphery of the company ... wants to block a connection, it does notify me. ... status suddenly changes from Connected to "Driver not loaded". ... user to choose to run that email attachment or allow that ActiveX control ...
      (microsoft.public.pocketpc.activesync)
    • Re: Questions when using https://servername.local/remote
      ... I am now at home trying to access the office server. ... "Create Remote Connection Disk Wizard" I tried that and it does not work. ... or security parameters may not be configured properly ... When i try the public IP address of the server, i get into the Zywall10 ...
      (microsoft.public.windows.server.sbs)
    • Re: Crazy humanity: war against crimes against humanity and racism - or racist monopoly
      ... All I did is portray I am a hacker, ... As I approached this sect in Hong Kong, three times, they closed ... If your security people can't protect this place from me, ... When I left an old connection alive for ...
      (sci.astro)
    • Re: Crazy humanity: war against crimes against humanity and racism - or racist monopoly
      ... think negatively of Americans as a result of the Iraq war. ... World war II govern-mental power where power decides, orders, ... If your security people can't protect this place from me, ... When I left an old connection alive for ...
      (sci.astro)