Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.
iChain 2.2 Support Pack 3 applied (ic22sp3.exe)
iChain 2.3 Support Pack 2 applied (ic23sp2.exe)
iChain 2.3 build 269 applied (ic23fp3.exe)
Using GUI to administor iChain
Access to local physical network needed
Administrator currently connected to iChain GUI with valid cookie
Security vulnerability: Can administor an iChain server without requiring to insert credentials
Can hijack an existing iChain administration session
Can manage an iChain server without any password
Insecure Web communication between iChain server and browser over TCP port 51100
Cannot send iChain GUI information to iChain server securely
Can replay authentication session to iChain Web management port (tcp 51100)
Fixed in iChain 2.3 builds 2.3.278 (ic23sp2ir1.exe) and later. This patch includes updated JAR files that use a secure channel for all communication with the iChain GUI.
Without the patch applied, it is possible to hijack an existing session by doing the following:
1. Sniff the communication between a client and the tcp port 51100 of the server iChain. This will require physical access to the administrator or iChain network so that promiscuous mode drivers on the hijacker workstation can pick up all data being transmitted on TCP port 51100 (GUI application) going to the iChain server.
2. get the value of authentication cookie set on the browser workstation. The cookie name is PCZQX02 and typically has a 24 byte value that follows i eg. bd197c565a47c66fb8b3400ca39d76cd4520c772. This 24 byte value includes a key into the hashed authentication table, a checksum and an ID associated with the iChain server that set the cookie.
3. Run the iChain class files on a Web server. Ideally one will have a HTML page that it can add the cookie from step 2 above, or pass the cookie as a parameter.
4. On the webserver, create a nat that redirects all the local traffic on tcp source 51100 to the real tcp port 51100 of the iChain server. This can be done using iptables on Linux for example where we use the DNAT target to redirect the traffic going to the loopback (or Web server IP address) to the IP address of the iChain server
6. browser to the iChain java files on the Web server with the cookie from an existing session to the GUI (sniffed in step 1) and confirm that you can administor the iChain server without entering any passowrd.
Thanks to Francisco Amato for notifying Novell of this issue.