TUCoPS :: Unix :: General :: border~1.txt

COMMAND
 Novell Border Manager
SYSTEMS AFFECTED
 Novell BorderManager 3.0
PROBLEM
 T. Ferony and George R. Johnson found following. To provide
 SSO-like capabilities for customers using BorderManger proxy
 server and the NetWare client, Novell uses a small program,
 ClientTrust, typically run from the user's login script. Once
 run, ClientTrust listens indefinitely on port 3024 for requests.
 Upon a user's initial attempt to access the web through
 BorderManager, BorderManager sends a "request" to the user's box
 in the form of UDP packets on port 3024. ClientTrust
 acknowledges this request, again via UDP. ClientTrust then works
 with the NetWare client to send BorderManager via NCP the
 currently logged in user's fully-qualified userid. BorderManager
 uses this userid for checks against its rulesets to deny or allow
 access to urls.
 The problem with this setup is twofold:
 1. BorderManager never verifies that the source of the access
 request and the source of the user information are the
 same.
 2. BorderManger relies on an as yet undetermined (by me,
 anyway) timeout before a user is considered no longer
 "authenticated".
 By exploiting this design, an unauthenticated user can access the
 web as any authenticated user. Things get really fun when victim
 users are members of the (insert your organization's list of
 trusted users) group granted full access to the web - not to
 mention the possibilities of making someone *really* look bad
 with attempts to forbidden pages. As a side note, it does have
 the pleasant side effect of being able to surf the web through
 the proxy server from your UN*X box.
 Exploit(s):
 1. Redirect port 3024 to another machine.
 Using a port redirector (in this case uredir was used), an
 attacker can redirect port 3024 to a victim's machine. When
 the attacker accesses the web (through the BorderManager
 proxy server) while running the redirector, the victim's
 ClientTrust validates the victim's user id to BorderManger on
 behalf of the attacker. Any web pages accessed by the
 attacker are done so with the victim's credentials. However,
 using this method, the attacker's IP address is recorded with
 the victim's userid in the proxy logs.
 2. Hijack the victim's session.
 Should an attacker successfully DoS the machine of a victim
 who's already authenticated to BorderManager, the attacker
 can surf as the victim by bringing up a machine with the
 victim's IP address. This method has the added benefit of
 stealth as proxy logs record the victim's IP and userid.
 3. Not really an exploit, merely a side effect?
 Users logged into M$ Terminal Server access the web as the
 person who first "authenticates" to BorderManager since the
 ClientTrust application is not designed to run correctly on
 multi-user hosts.
 Note: These exploits don't imply total circumvention of
 BorderManager rules. Rather, they indicate that through
 impersonation, an attacker can gain a more lenient set of
 rules if those rules exist.
SOLUTION
 Novell was notified of the problem and agreed that this was a
 design flaw, however, no patches to existing software have been
 released.