Novell BorderManager User Impersonation Vulnerability

Novell BorderManager implements an application called ClientTrust to handle login procedures. ClientTrust listens on port 3024 of the user's machine for authentication requests from BorderManager whenever the user attempts to access the web. This mechanism makes it feasible for an unauthenticated user to masquerade as an authorized user due to the fact that it does not verify the origin of the access request.

This may be accomplished through port redirection on port 3024. First, an attacker would need to pick a machine in use by the person they want to impersonate (the target). Second, they set up port forwarding on their own system, so that any requests made to port 3024 are forwarded to the target's machine. Then, they make their request. THe BorderManager server queries the attacker's machine. The attacker forwards the query to the target, which responds with the correct information. The BorderManager server then allows the request.

This can lead to two seperate risks: Unauthorized content access, and character attacks by accessing questionable websites using the target's credentials.

The correct IP address of the attacker's machine will be logged.


Privacy Statement
Copyright 2010, SecurityFocus