[15676] in bugtraq
Novell Border Manger - Anyone can pose as an authenticated user
daemon@ATHENA.MIT.EDU (Coward, Anonymous)
Fri Jul 7 14:59:09 2000
Mime-Version: 1.0
Content-Type: multipart/mixed;
Boundary="0__=LS3scd4Hcxsh8HhqyS6N4ZGOIle0QfTKxAgFXLIUtBnESL2Yb7q1I02F"
Content-Disposition: inline
Message-Id: <06256915.00591E18.00@uprrsmtp2.notes.up.com>
Date: Fri, 7 Jul 2000 10:12:09 -0600
Reply-To: UPRR_DSA@UP.COM
From: "Coward, Anonymous" <UPRR_DSA@UP.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
--0__=LS3scd4Hcxsh8HhqyS6N4ZGOIle0QfTKxAgFXLIUtBnESL2Yb7q1I02F
Content-type: text/plain; charset=us-ascii
Content-Disposition: inline
Info:
Author: George R. Johnson
Date: 07/07/00
Product: BorderManager 3.0 (possibly others)
Vendor: Novell
Problem: Unauthenticated user can web surf as any authenticated user
Discussion:
To provide SSO-like capabilities for customers using BorderManger proxy server
and the NetWare client, Novell uses a small program, ClientTrust, typically run
from the user's login script. Once run, ClientTrust listens indefinitely on
port 3024 for requests. Upon a user's initial attempt to access the web through
BorderManager, BorderManager sends a "request" to the user's box in the form of
UDP packets on port 3024. ClientTrust acknowledges this request, again via UDP.
ClientTrust then works with the NetWare client to send BorderManager via NCP the
currently logged in user's fully-qualified userid. BorderManager uses this
userid for checks against its rulesets to deny or allow access to urls.
The problem with this setup is twofold:
1. BorderManager never verifies that the source of the access request and the
source of the user information are the same.
2. BorderManger relies on an as yet undetermined (by me, anyway) timeout before
a user is considered no longer "authenticated".
By exploiting this design, an unauthenticated user can access the web as any
authenticated user. Things get really fun when victim users are members of the
(insert your organization's list of trusted users) group granted full access to
the web - not to mention the possibilities of making someone *really* look bad
with attempts to forbidden pages. As a side note, it does have the pleasant
side effect of being able to surf the web through the proxy server from your
UN*X box ;-)
Exploit(s):
1. Redirect port 3024 to another machine.
Using a port redirector (in this case uredir was used), an attacker can redirect
port 3024 to a victim's machine. When the attacker accesses the web (through
the BorderManager proxy server) while running the redirector, the victim's
ClientTrust validates the victim
--0__=LS3scd4Hcxsh8HhqyS6N4ZGOIle0QfTKxAgFXLIUtBnESL2Yb7q1I02F
Content-type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-transfer-encoding: quoted-printable
's user id to BorderManger on behalf of the
attacker. Any web pages accessed by the attacker are done so with the =
victim's
credentials. However, using this method, the attacker's IP address is =
recorded
with the victim's userid in the proxy logs.
2. Hijack the victim's session.
Should an attacker successfully DoS the machine of a victim who's alrea=
dy
authenticated to BorderManager, the attacker can surf as the victim by =
bringing
up a machine with the victim's IP address. This method has the added b=
enefit of
stealth as proxy logs record the victim's IP and userid.
3. Not really an exploit, merely a side effect?
Users logged into M$ Terminal Server access the web as the person who f=
irst
"authenticates" to BorderManager since the ClientTrust application is n=
ot
designed to run correctly on multi-user hosts.
Note: These exploits don't imply total circumvention of BorderManager =
rules.
Rather, they indicate that through impersonation, an attacker can gain =
a more
lenient set of rules if those rules exist.
Solution:
Novell was notified of the problem and agreed that this was a design fl=
aw,
however, no patches to existing software have been released.
Credit:
T. Ferony - for the initial port redirection exploit concept. (I basic=
ally just
took the ball and ran with it.)
=
--0__=LS3scd4Hcxsh8HhqyS6N4ZGOIle0QfTKxAgFXLIUtBnESL2Yb7q1I02F--
