Novell Border Manger - Anyone can pose as an authenticated user

[UPRR_DSA () UP COM (Coward, Anonymous)]

Info:
Author:  George R. Johnson
Date:  07/07/00
Product:  BorderManager 3.0 (possibly others)
Vendor:  Novell
Problem:  Unauthenticated user can web surf as any authenticated user

Discussion:
To provide SSO-like capabilities for customers using BorderManger proxy server
and the NetWare client, Novell uses a small program, ClientTrust, typically run
from the user's login script.  Once run, ClientTrust listens indefinitely on
port 3024 for requests.  Upon a user's initial attempt to access the web through
BorderManager, BorderManager sends a "request" to the user's box in the form of
UDP packets on port 3024.  ClientTrust acknowledges this request, again via UDP.
ClientTrust then works with the NetWare client to send BorderManager via NCP the
currently logged in user's fully-qualified userid.  BorderManager uses this
userid for checks against its rulesets to deny or allow access to urls.

The problem with this setup is twofold:

1.  BorderManager never verifies that the source of the access request and the
source of the user information are the same.

2.  BorderManger relies on an as yet undetermined (by me, anyway) timeout before
a user is considered no longer "authenticated".

By exploiting this design, an unauthenticated user can access the web as any
authenticated user.  Things get really fun when victim users are members of the
(insert your organization's list of trusted users) group granted full access to
the web - not to mention the possibilities of making someone *really* look bad
with attempts to forbidden pages.  As a side note, it does have the pleasant
side effect of being able to surf the web through the proxy server from your
UN*X box ;-)

Exploit(s):

1.  Redirect port 3024 to another machine.
Using a port redirector (in this case uredir was used), an attacker can redirect
port 3024 to a victim's machine.  When the attacker accesses the web (through
the BorderManager proxy server) while running the redirector, the victim's
ClientTrust validates the victim



's user id to BorderManger on behalf of the
attacker.  Any web pages accessed by the attacker are done so with the victim's
credentials.  However, using this method, the attacker's IP address is recorded
with the victim's userid in the proxy logs.

2.  Hijack the victim's session.
Should an attacker successfully DoS the machine of a victim who's already
authenticated to BorderManager, the attacker can surf as the victim by bringing
up a machine with the victim's IP address.  This method has the added benefit of
stealth as proxy logs record the victim's IP and userid.

3.  Not really an exploit, merely a side effect?
Users logged into M$ Terminal Server access the web as the person who first
"authenticates" to BorderManager since the ClientTrust application is not
designed to run correctly on multi-user hosts.

Note:  These exploits don't imply total circumvention of BorderManager rules.
Rather, they indicate that through impersonation, an attacker can gain a more
lenient set of rules if those rules exist.

Solution:
Novell was notified of the problem and agreed that this was a design flaw,
however, no patches to existing software have been released.

Credit:
T. Ferony - for the initial port redirection exploit concept.  (I basically just
took the ball and ran with it.)