Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Novell's iChain FTP Brute Forcing, Path Disclosure and Insecure H

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Novell's iChain FTP Brute Forcing, Path Disclosure and Insecure HTTP Communication Vulnerabilities
Date: 17 Mar 2005 19:12:00 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Novell's iChain FTP Brute Forcing, Path Disclosure and Insecure HTTP 
Communication Vulnerabilities
------------------------------------------------------------------------


SUMMARY

 <http://www.novell.com/products/ichain/> Novell iChain "provides 
identity-based web security services that control access to application 
and network resources across technical and organizational boundaries, as 
one Net. The Novell iChain product provides identity-based web security 
services that control access to application and network resources across 
technical and organizational boundaries".

The following vulnerabilities was recently discovered in Novell iChain 
product: FTP Bruteforce Vulnerability, Remote Path Disclosure and Insecure 
HTTP Communication.

DETAILS

Vulnerable Systems:
 * iChain Administration version 2.3

Vulnerabilities in iChain Mini FTP Server:
Novell iChain Mini FTP Server does not limit number of invalid logins, 
what means no intruder detection performed and allows a brute force 
attack.

Novell iChain Mini FTP Server permit execute the PWD command without an 
authentication.

Example:
Connected to 10.1.10.1.
Escape character is '^]'.
220 Service Ready
PWD
257 "SYS:/ETC/PROXY/APPLIANCE/CONFIG/USER" is the current directory

Novell iChain Mini FTP Server inform when a provided username is invalid 
or not.

Example:
Trying 10.1.10.1...
Connected to 10.1.10.1.
Escape character is '^]'.
220 Service Ready
user test
530 Invalid user name
user config
331 User name Okay, need password

Insecure connection authentication iChain HTTP Server:
To enter to iChain Proxy Services' administration, the user must go to 
following URL:
http://example.com:1959/appliance/config.html

The system automatically will then redirect us to another service running 
in the TCP port 2222. This TCP port uses the HTTPS  protocol to make the 
authentication process, specifically to the following URL:
https://10.1.10.1:2222/ICSLogin/?"http://10.1.10.1:1959/appliance/config.html

This page show us a Java form, where we need to provide it with a username 
and a password to, the form will then make a POST to the following CGI 
(NOTE: The CGI is accessed via an insecure HTTP connection):
http://10.1.10.1:2222/BM-Login/capp-cuo

With the variables:
 * causername - The provided username
 * capassword - The provided password
 * url - The URL where the user is redirected once the authentication 
process has ended

If the username/password combination is valid, this CGI will return HTML 
code and a cookie with information:
Name: IPCZQX02
Value: c0a210e1583eca8b673f720dd9035aafc4bb52f6
Path: /Domain: 10.1.10.1

This cookie is used by the same page to provide it as a value to the Java 
Applet (ApplianceConfigureApplet.class in package client.jar) that allows 
us to administrate iChain.

The Applet opens a TCP connection with the iChan server's (10.1.10.1) port 
51100. This TCP connection is used to send and get information that the 
client sends or requests. All of this information is not encrypted in any 
way.

With a simple sniffer we can get all the traffic traveling between the 
administrator and the iChain product.

Vendor Status:
Vendor has been notified and has chosen to publish the following 
advisories:
 <http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096885.htm> 
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096885.htm
 <http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096886.htm> 
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096886.htm
 <http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096887.htm> 
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096887.htm

Disclosure Timeline:
 * 03.04.05 - Initial vendor notification.
 * 03.05.05 - Initial vendor response.
 * 03.10.05 - Public disclosure.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:famato@infobyte.com.ar> 
Francisco Amato.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Novell's iChain FTP Brute Forcing, Path Disclosure and Insecure HTTP Communication Vulnerabilities, SecuriTeam <=
Previous by Date:  [EXPL] iPool and iSnooker Local Password Disclosure, SecuriTeam
Next by Date:  [UNIX] LuxMan '-f' Option Buffer Overflow, SecuriTeam
Previous by Thread:  [EXPL] iPool and iSnooker Local Password Disclosure, SecuriTeam
Next by Thread:  [UNIX] LuxMan '-f' Option Buffer Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]