Novell BorderManager User Impersonation Vulnerability
BID:1440
Info
Novell BorderManager User Impersonation Vulnerability
| Bugtraq ID: | 1440 |
| Class: | Origin Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Jul 07 2000 12:00AM |
| Updated: | Jul 07 2000 12:00AM |
| Credit: | Posted to Bugtraq on July 7, 2000 by George R. Johnson <[email protected]>. |
| Vulnerable: |
Novell BorderManager 3.5 Novell BorderManager 3.0 |
| Not Vulnerable: | |
Discussion
Novell BorderManager User Impersonation Vulnerability
Novell BorderManager implements an application called ClientTrust to handle login procedures. ClientTrust listens on port 3024 of the user's machine for authentication requests from BorderManager whenever the user attempts to access the web. This mechanism makes it feasible for an unauthenticated user to masquerade as an authorized user due to the fact that it does not verify the origin of the access request.
This may be accomplished through port redirection on port 3024. First, an attacker would need to pick a machine in use by the person they want to impersonate (the target). Second, they set up port forwarding on their own system, so that any requests made to port 3024 are forwarded to the target's machine. Then, they make their request. THe BorderManager server queries the attacker's machine. The attacker forwards the query to the target, which responds with the correct information. The BorderManager server then allows the request.
This can lead to two seperate risks: Unauthorized content access, and character attacks by accessing questionable websites using the target's credentials.
The correct IP address of the attacker's machine will be logged.
Novell BorderManager implements an application called ClientTrust to handle login procedures. ClientTrust listens on port 3024 of the user's machine for authentication requests from BorderManager whenever the user attempts to access the web. This mechanism makes it feasible for an unauthenticated user to masquerade as an authorized user due to the fact that it does not verify the origin of the access request.
This may be accomplished through port redirection on port 3024. First, an attacker would need to pick a machine in use by the person they want to impersonate (the target). Second, they set up port forwarding on their own system, so that any requests made to port 3024 are forwarded to the target's machine. Then, they make their request. THe BorderManager server queries the attacker's machine. The attacker forwards the query to the target, which responds with the correct information. The BorderManager server then allows the request.
This can lead to two seperate risks: Unauthorized content access, and character attacks by accessing questionable websites using the target's credentials.
The correct IP address of the attacker's machine will be logged.
Exploit / POC
Novell BorderManager User Impersonation Vulnerability
see discussion
see discussion
Solution / Fix
Novell BorderManager User Impersonation Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Novell BorderManager User Impersonation Vulnerability
References:
References:
- BorderManager Product Homepage (Novell)