Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[Gosecure Adivsory] Neoteris IVE Vulnerability

From: Jian Hui Wang <jhwang () gosecure ca>
Date: 6 Oct 2004 17:35:12 -0000


                      Gosecure Advisory

                     http://www.gosecure.ca

             Neoteris IVE changepassword.cgi Authentication Bypass


Date Published: 2004-09-20

Date Discovered: 2004-07-23

Advisory ID: GOSECURE-2004-10

Class: Design Error

Risk: Medium

Vendor: Juniper Networks
www.juniper.net

Advisory URL:
http://www.gosecure.ca/SecInfo/gosecure-2004-10.txt


Affected System:

Neoteris Instant Virtual Extranet (IVE) OS, Version 3.x
Netories Instant Virtual Extranet (IVE) OS, Version 4.x  

Description:

Neoteris Instant Virtual Extranet (IVE) is a well known "clientless" SSL VPN solution for internal network remote 
access via standard web browser. It is widely used as an extranet portal for corporate network.

There is a vulnerability in Neoteris IVE password management.

When a valid user tries to authenticate via Neoteris and the password is expired, the user will be directly forwarded 
to "changepassword.cgi" without asking any form of authentication. The username, authentication server and type will be 
appended to “changepassword.cgi” URL. Since the "changepassword.cgi" allows the user to try the old password as many 
times as they want, effectively allowing brute force password attack. By using the trivial information gathering skills 
to get the valid accounts and launching brute force attack, a remote attacker may take over the password expired 
accounts and gain unauthorized access to the internal network resource.

This vulnerability only affects the IVE products which are configured with an LDAP or NT domain authentication server. 
Other type of authentication servers are  not affected.

Solution:

Vendor has released a patch and an advisory to address to this vulnerability. The advisory is available the following 
location:
http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Seach&txtAlertNumber=PSN-2004-08-25&viewMode=view

Credits:

The vulnerability was found by Jian Hui Wang from Team Gosecure. Great thank to Robert Masse for his support to this 
issue.

Copyright (c) 2002-2004 GoSecure.Inc

Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way 
without express consent of Gosecure. If you wish to reprint the whole or any part of this alert 
in any other medium excluding electronic medium, please email info () gosecure ca for permission.

Disclaimer

The information within this advisory may change without notice. There are no warranties, implied or express, with 
regard to this information.  In no event shall the author be liable for any direct or indirect damages 
whatever arising out or in connection with the use or spread of this information. Any use of this information is at the 
user's own risk.
Previous By Date Next
Previous By Thread Next

Current thread: