COMMAND

    Novell Border Manager

SYSTEMS AFFECTED

    Novell BorderManager 3.0

PROBLEM

    T.  Ferony  and  George  R.  Johnson  found following.  To provide
    SSO-like  capabilities  for  customers  using  BorderManger  proxy
    server  and  the  NetWare  client,  Novell  uses  a small program,
    ClientTrust, typically  run from  the user's  login script.   Once
    run, ClientTrust listens indefinitely  on port 3024 for  requests.
    Upon  a  user's  initial  attempt   to  access  the  web   through
    BorderManager, BorderManager sends a  "request" to the user's  box
    in  the   form  of   UDP  packets   on  port   3024.   ClientTrust
    acknowledges this request, again via UDP.  ClientTrust then  works
    with  the  NetWare  client  to  send  BorderManager  via  NCP  the
    currently logged in user's fully-qualified userid.   BorderManager
    uses this userid for checks against its rulesets to deny or  allow
    access to urls.

    The problem with this setup is twofold:

        1. BorderManager never verifies that the source of the  access
           request  and  the  source  of  the user information are the
           same.
        2. BorderManger  relies  on  an  as  yet undetermined (by  me,
           anyway)  timeout  before  a  user  is  considered no longer
           "authenticated".

    By exploiting this design, an unauthenticated user can access  the
    web as any authenticated user.  Things get really fun when  victim
    users  are  members  of  the  (insert  your organization's list of
    trusted  users)  group  granted  full  access  to the web - not to
    mention  the  possibilities  of  making  someone *really* look bad
    with attempts to forbidden  pages.  As a  side note, it does  have
    the pleasant  side effect  of being  able to  surf the web through
    the proxy server from your UN*X box.

    Exploit(s):

    1.  Redirect port 3024 to another machine.
        Using a  port redirector  (in this  case uredir  was used), an
        attacker can redirect port 3024  to a victim's machine.   When
        the  attacker  accesses  the  web  (through  the BorderManager
        proxy  server)  while  running  the  redirector,  the victim's
        ClientTrust validates the victim's user id to BorderManger  on
        behalf  of  the  attacker.   Any  web  pages  accessed  by the
        attacker are done so with the victim's credentials.   However,
        using this method, the attacker's IP address is recorded  with
        the victim's userid in the proxy logs.

    2.  Hijack the victim's session.
        Should an attacker  successfully DoS the  machine of a  victim
        who's  already  authenticated  to  BorderManager, the attacker
        can  surf  as  the  victim  by  bringing up a machine with the
        victim's IP  address.   This method  has the  added benefit of
        stealth as proxy logs record the victim's IP and userid.

    3.  Not really an exploit, merely a side effect?
        Users logged  into M$  Terminal Server  access the  web as the
        person who  first "authenticates"  to BorderManager  since the
        ClientTrust application  is not  designed to  run correctly on
        multi-user hosts.

    Note:  These   exploits  don't  imply   total  circumvention    of
           BorderManager rules.   Rather, they  indicate that  through
           impersonation, an attacker can  gain a more lenient  set of
           rules if those rules exist.

SOLUTION

    Novell was  notified of  the problem  and agreed  that this  was a
    design flaw, however,  no patches to  existing software have  been
    released.