Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] iChain Multiple Vulnerabilities

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] iChain Multiple Vulnerabilities
Date: 30 Aug 2004 18:06:25 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  iChain Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

Novell's  <http://www.novell.com/products/ichain/> iChain "provides 
identity-based web security services that control access to application 
and network resources across technical and organizational boundaries".

Multiple vulnerabilities have been discovered in Novell's iChain. These 
vulnerabilities include, cross-site scripting, authentication bypassing 
and denial of service.

DETAILS

Vulnerable Systems:
 * iChain 2.3 Support Pack 1 Beta 1 version 2.3.251 and prior

Immune Systems:
 * iChain 2.3 Support Pack 1 Beta 1 version 2.3.252 or newer

Security Issues/Alert(s):
1) ACLCHECK Security hole with overlong UTF-8 encoding where access 
control rules could be bypassed using escape sequences.

2) Cross-site scripting (XSS) vulnerability where login credentials could 
have been sent to another host.

3) DoS attack on iChain server when URL contains specific string.

4) Security concern with VIA header and the displaying of the iChain build 
version. Added "viaheaderbuildversion=" option to /etc/proxy/proxy.cfg to 
modify the build version sent in the VIA header. Example: Add the 
following to the proxy.cfg file:

    [HTTP Headers]
    viaheaderbuildversion=2.3

This will show up as (iChain 2.3) in the via header. Otherwise it will 
show up with the standard build version such as (iChain 2.2.252).

5) iChain Administration GUI no longer binds and listens on all assigned 
IP addresses.

6) iChain passes iChain username/password credentials in authorization 
basic header instead of the OLAC configured ICHAIN_UID/ICHAIN_PWD when 
LDAP server pointed to by ACLCHECK profile is DOWN.

7) Set default for Telnet to disabled.

Defects Fixed:
1) "Forward iChain cookie to web server" not working for child 
accelerators.

2) Customization of iChain error pages not displaying custom images 
correctly

3) Cannot access PUBLIC resource when two accelerators pointed to same 
origin server over http and https.

4) Abend in SSO while unloading and an SSO request is being processed.

5) Removed the set "alturl" in the CLI to redirect error pages to another 
URL.

6) Authenticating with original URL containing "(" or ")" causing the URL 
to be rewritten incorrectly with invalid escape sequences.

7) Invalid request-line URI error during authentication when URL includes 
ampersand (&) characters.

8) RADCHALN.HTM would only load from sys:/etc/proxy/data directory and 
cannot be customized.

9) Novinet header was not always passed to back-end, breaking Single 
Sign-On.

10) Proxy mishandling the "100 continue" HTTP response header from origin 
server and causing Formfill to fail.

11) SAML SSL mutual connection failing against Oblix server.

12) iChain sending multiple CONNECTION HTTP headers in GET request.

13) iChain rewrites iChain session cookies (beginning with ZNPCQ002) used 
by back end application when "Load Balance at session level only" is 
enabled.

14) Abend on iChain Authentication server if tree name started with "T".

15) Authentication looping during login to iChain going from secure to 
non-secure connections when going through session broker.

16) Abend in PROXY.NLM when Rewriter enabled.

17) Abend in PROXY.NLM when client chunking active.

18) Failed login with basic authentication would redirect user to the 
iChain login page form.

19) "Return error if host name sent by browser does not match above DNS 
name" not returning error when mismatch in DNS names existed between 
browser and iChain.

20) Could not authenticate to iChain when user credentials were split 
between multiple TCP segments.

21) Removed "Domain=" portion of the session (ZNPCQ002) cookie.

22) Secondary IP addresses disappearing after an apply.

23) Updated messages.cfg file to include better instructions.

24) Cannot login to iChain with Mozilla due to encoding of user 
credentials containing "@" to "%40".

25) Abend in SSO.NLM when <maskedPost/> used in Formfill policy.

26) Abend in LIBC.NLM|strcpy caused by Formfill.

27) Abend in Proxy when "DNS IPQuery Waiting For UDP Send Complete" 
message appears on system console.

28) iChain server hangs when downed due to SMTP alerting being enabled.

29) iChainFormFillCrib values not filling into form if form credentials 
sent back was split across multiple TCP segments.

30) Abend in Proxy.nlm due to invalid bufseg when user submits login 
credentials to iChain.

31) X-Forwarder header randomly getting dropped and client IP address 
getting mixed into cookie instead.

32) Abend in PROXY.NLM|TCPGetSendData().

33) User DN sent instead of CN in OLAC Header after purge cache performed.

34) Fixed memory leak in ACLCHECK.NLM.

35) OLAC parameters from the LDAP data source are not sent to the web 
server after SAML Authentication is performed.

36) SAML server getting a 500 error back from iChain on a "/cmd/mutExt" 
artifact request.

37) Abend importing NAS is SAML authentication server information included 
in ISO object.

38) Abend in NWUTIL.NLM|Alloc() when iChain handles HTTP POST request 
containing more than 4kB of data.

39) "REGJNI: getStringValue not NULL terminated" error on iChain Java 
Interpreter screen.

40) Expired certificates reported as 'auto' in iChain GUI instead of 
expired.

41) Cannot access iChain services after importing NAS file.

42) Cannot access iChain CLI when TCPIP.CFG is corrupt.

43) Upper/lowercase issues with SPEED= setting in current.nas

44) "Set eth primary address" was not working correctly.

45) Abend in AUTOVOL.NLM during installation on GL380G3.

46) OCSP problems validating responses signed by multiple Certificate 
Authorities.

47) Cannot connect to remote Web server when Secure Exchange is enabled on 
public resource.

48) OLAC gets a java exception when enabled through a NAS file.

49) COS file system not getting created during install on system with 
large amount of disk space.

50) Changes to Xtier Realm name case did not get saved.

Enhancements:
1) Added the ability to enable the secure bit on cookies.
    - Edit APPSTART.NCF to load PROXY.NLM with the -cs switch.
      Syntax: load proxy -cs
    - All accelerators must have secure exchange enabled to utilize this 
feature.

2) Added additional field (Load Line Parameters) for board settings in 
Admin GUI for Gigabit card support.

3) Removed SOCKS client setting from the Gateway panel.

4) Remove Filtering/WCCP modules that iChain does not use.

5) Raised number of Trusted Roots limit supported from 32 to 64.

6) Fixed browser error "Chained certs causing basic constraint violation 
messages" with chained client certificate whose path length constraint set 
to 0.

7) Added an Evaluation License Reset function. Call Novell Technical 
Support and reference internal TID 10090910 for instructions and unlock 
code.

8) Add option to insert/remove sub path in Cookies when using Path Based 
Multi-homing.
    Syntax: removesubpathincookie = [yes/no]

9) Support to store Form Fill Policies on local file system.
    Syntax: Add the following to the Form Fill Policy on the ISO object:

    <LocalPolicy>{Filename}</LocalPolicy>

    *If {FileName} does not contain \ / or : it is a file expected to be 
in SYS:ETC\Proxy\Appliance\Config\User\Formfill - otherwise it will take 
it as an absolute path. You can use multiple tags like this... But the 
maximum size is limited to 1MB.

10) Now validate administrator Formfill XML against existing XML Tags to 
make sure syntax and cases are correct.

11) Added iChain set command to turn off CRL checking.
    Syntax:
    set authentication <profile_name> mutual disablerevocationchecks = 
[yes/no]

12) Option to disable telnet posting listener on TCP port 23.
    Syntax: set listener telnet enable = [on/off]

13) Made an Admin GUI setting for non-exportability of Certificates.

14) Improved OTWUG install to differentiate between iChain product 
versions.

15) Caching improvements when .js, .jpg,.jpeg,.png files referenced in 
customized login pages.

16) DNS error messages added to the messages.cfg file.

17) Added "Please Login" string from login pages to the messages.cfg for 
translation.

Known Issues:
Users coming in through Mutual SSL Authentication may get a certificate 
error if they try to hit the site while their userid is in the 0 TTL 
state. During the 0 TTL state a user's session has timed out but there is 
a maximum 60 second window where the userid is still registered with the 
IAGENT database.

Installation:
Recommendations: Prior to placing b1ic23sp1.exe in a production 
environment, test in an environment that mirrors the production 
environment.

b1ic23sp1.exe is a self-extracting file that will extract into three 
files:
b1ichain23sp1.zip, b1ichain23sp1.txt and b1ic23sp1.txt.
b1ichain23sp1.zip is the OTWUG (Over The Wire Upgrade).
b1ichain23sp1.txt is the installation file for the OTWUG.
b1ic23sp1.txt is the readme for the patch.

Installing b1ic23sp1.exe

1) Special notes for this OTWUG:
This OTWUG will upgrade an iChain 2.2 server to iChain 2.3
If you are upgrading to 2.3, you will be prompted to accept the 2.3 
license during the install. Therefore, console access is necessary to 
accept the license agreement and upgrade.

Additionally, during the upgrade all drivers (and many other files that 
you may have customized) currently running on the iChain 2.2 server will 
be replaced. Review the drivers and files in the b1ichain23sp1.zip file to 
verify that they are correct for your hardware and environment. Examples 
of such files include:

NCPIP.NLM
For security reasons, C:/NWSERVER/NCPIP.NLM was renamed to NCPIP.OLD. If 
login to the iChain server is desired NCPIP.NLM will have to be re-named 
to the original file name after the OTWUG completes.

OAC.PROPERTIES
When you install this support pack, any OLAC custom plug-ins will be 
overwritten. To avoid this issue, back up your oac.properties file before 
installing this support pack, then copy the file back over once the 
support pack is successfully installed. If you have not modified the file 
previously, skip this step.

APPSTART.NCF
Make note of any customized load lines in appstart.ncf prior to applying 
the patch. Do NOT include "load logevent" and "load lcache" if they appear 
in your current file.

MESSAGES.CFG will be updated.

TELNET will be disabled by default for security reasons. If TELNET is used 
for administrative purposes you will need to re-enable it after applying 
this patch. Import the TELNETON configuration file from the ADMIN GUI 
under the System | Import/Export tab.


2) Back-up all configuration files and third-party certificates.
a. If the iChain server has a cloned drive (multiple drives), a clone 
update should be preformed prior to the upgrade, or
b. Export the CURRENT.NAS, TUNE.NCF, APPSTART.NCF, MESSAGES.CFG (if 
customized), any third-party certificates, and any other customized login 
pages or files to floppy for backup purposes. Remove the floppy.

3) Copy b1ichain23sp1.zip & b1ichain23sp1.txt to a directory on a Web 
Server that can be accessed by the iChain appliance and a workstation that 
will run the iChain Appliance Configuration GUI.

4) Temporarily disable all accelerators or block public traffic.

5) If "Allow administration from specified clients" has been configured, 
add the IP address of the iChain server to the list.

6) Modify the URL line in the b1ichain23sp1.txt file so that it contains 
the appropriate path/URL to the b1ichain23sp1.zip file. Example: If the 
zip file was placed at the default/root directory of a Web Server with the 
IP address 10.10.10.1 then change url=http://** 
location**/b1ichain23sp1.zip to url=http://10.10.10.1/b1ichain23sp1.zip.

7) In the Appliance Configuration GUI under System | Upgrade | Install 
from URL, put in the matching URL to the .txt file. Using the example 
above: http://10.10.10.1/b1ichain23sp1.txt. NOTE: Point to the .txt 
installation file, not the .zip file.

8) Check the "Enable download" and "Enable install" boxes.

9) Specify times to begin the download and install.

10) Click on "Apply".


ADDITIONAL INFORMATION

The information has been provided by Novell Product Security.
The original article can be found at:  
<http://support.novell.com/cgi-bin/search/searchtid.cgi?/2969621.htm> 
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2969621.htm



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] iChain Multiple Vulnerabilities, SecuriTeam <=
Previous by Date:  [NT] Titan FTP Server Directory Traversal Vulnerability, SecuriTeam
Next by Date:  [NT] Titan FTP Server Heap Overflow, SecuriTeam
Previous by Thread:  [NT] Titan FTP Server Directory Traversal Vulnerability, SecuriTeam
Next by Thread:  [NT] Titan FTP Server Heap Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]