Security vulnerability: Can administor an iChain server without requiring to insert credentials

  • 10096885
  • NOVL101283
  • 08-Mar-2005
  • 26-May-2005

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.


iChain 2.3

iChain 2.2

iChain 2.2 Support Pack 3 applied (ic22sp3.exe)

iChain 2.3 Support Pack 2 applied (ic23sp2.exe)

iChain 2.3 build 269 applied (ic23fp3.exe)

Using GUI to administor iChain

Access to local physical network needed

Administrator currently connected to iChain GUI with valid cookie


Security vulnerability: Can administor an iChain server without requiring to insert credentials

Can hijack an existing iChain administration session

Can manage an iChain server without any password

Insecure Web communication between iChain server and browser over TCP port 51100

Cannot send iChain GUI information to iChain server securely

Can replay authentication session to iChain Web management port (tcp 51100)


Fixed in iChain 2.3 builds 2.3.278 (ic23sp2ir1.exe) and later. This patch includes updated JAR files that use a secure channel for all communication with the iChain GUI.

Without the patch applied, it is possible to hijack an existing session by doing the following:

1. Sniff the communication between a client and the tcp port 51100 of the server iChain. This will require physical access to the administrator or iChain network so that promiscuous mode drivers on the hijacker workstation can pick up all data being transmitted on TCP port 51100 (GUI application) going to the iChain server.

If there is a switched network in place, then the only way a hijacker could access physical data on the network from other devices would be through port replication on the switch.

2. get the value of authentication cookie set on the browser workstation. The cookie name is PCZQX02 and typically has a 24 byte value that follows i eg. bd197c565a47c66fb8b3400ca39d76cd4520c772. This 24 byte value includes a key into the hashed authentication table, a checksum and an ID associated with the iChain server that set the cookie.

3. Run the iChain class files on a Web server. Ideally one will have a HTML page that it can add the cookie from step 2 above, or pass the cookie as a parameter.

4. On the webserver, create a nat that redirects all the local traffic on tcp source 51100 to the real tcp port 51100 of the iChain server. This can be done using iptables on Linux for example where we use the DNAT target to redirect the traffic going to the loopback (or Web server IP address) to the IP address of the iChain server

6. browser to the iChain java files on the Web server with the cookie from an existing session to the GUI (sniffed in step 1) and confirm that you can administor the iChain server without entering any passowrd.


Thanks to Francisco Amato for notifying Novell of this issue.

Francisco Amato
Infobyte Security Research

Feedback service temporarily unavailable. For content questions or problems, please contact Support.