IBMi Navigator 7.5 - HTTP Security Token Bypass

Exploit Author: hyp3rlinx Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Java Published Date: 2025-04-15

# Author Title: John Page (aka hyp3rlinx)
# Author Website: hyp3rlinx.altervista.org
# Source:  https://hyp3rlinx.altervista.org/advisories/IBMi_Navigator_HTTP_Security_Token_Bypass-CVE-2024-51464.txt
 # Vendor: www.ibm.com

[Product]
Navigator for i is a Web console interface where you can perform the key tasks to administer your IBM i.
IBM Navigator for i supports the vast majority of tasks that were available in the System i Navigator Windows client application.
This Web application is part of the base IBM i operating system, and can be easily accessed from your web browser.

[Vulnerability Type]
HTTP Security Token Bypass

[CVE Reference]
CVE-2024-51464

[Security Issue]
IBM i is vulnerable to bypassing Navigator for i interface restrictions.  By sending a specially crafted request, an authenticated attacker could exploit this
vulnerability to remotely perform operations that the user is not allowed to perform when using Navigator for i.

The web application generates an HTTP security token ID called "Mn:" with a 19 digit value and is set in the HTTP session response header per user.
Navigator, uses this token for integrity purpose to protect against arbitrary and or malicious HTTP requests. Therefore, upon receipt of a bogus
security token in an HTTP request the server will respond with HTTP 403 Forbidden message.

However, attackers can modify existing tokens to bypass the 403 Forbidden directive to achieve their objectives. Problem is Navigator security token logic
does not properly create or detect if a security token is valid or if it has been tampered with.

Attackers can manipulate the last eight digits of a token by setting them to all 0000s (zeroes) and or increment them by one, token length must be the same.
This can trick the application into processing attacker controlled security tokens as the server thinks it is valid, this undermines the security of this protection.

E.g. Valid HTTP header generated by the server.

Mn: 6844795211344371559
Content-Length: 290
Origin: https://10.1.1.4:2003

Example of a bogus but honored MN header token set by an attacker, padded with zeros and happily accepted by the backend servlet.
Mn: 6844795211300000000

The MN token is generated in the "initProtectionSetting" java method.

public void initProtectionSetting(HttpServletRequest request, HttpServletResponse response) {
    initEncryption();
    initSession();

   [ REDACTED ]

    setMagicNumber(magicNumber);
    response.setHeader("MN", magicNumber + "");
    setUserAgent(request.getHeader("User-Agent"));
  }


In the (doFilter) Method we see the check for MN header which sends HTTP 403 on invalid tokens.

     String mnStr = hRequest.getHeader("MN");
        if (mnStr == null)
          mnStr = hRequest.getParameter("MN");
        if (!isMnMatched(mnStr, hSession)) {
          NavLogger.severe("Forbidden. Incorrect HTTP ID");
          NavLogger.info("Request URI: " + requestURI);
          hResponse.sendError(403);
          return;


Invalid token response will return:
Error 403: SRVE38895F: Error reported: 403
 

Attacker increments MN or pad with zeros and requests are accepted and the token succeeds.
HTTP 200 OK


[References]
ADV0142855
https://www.ibm.com/support/pages/node/7179509

IBM classified as "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax".
To be clear HTTP headers are just the delivery method for sending attacker controlled tokens to bypass Navigator protection.


[Exploit/POC]
Intercept Navigator HTTP requests and increment the last one or two digits of the Mn: HTTP
header security token or just pad the last eight digits with all zeroes.


[Network Access]
Remote


[Severity]
Medium
CVSS Base score:  4.3

[Affected versions]
7.5.0,7.4.0, 7.3.0


[Disclosure Timeline]
Vendor Notification:  10/14/2024
Vendor fix and publication: 12/20/2024
12/27/2024 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

IBM Navigator for i — HTTP Security Token Bypass (CVE-2024-51464)

Overview

In late 2024 a vulnerability (CVE-2024-51464) was published affecting IBM Navigator for i (Navigator for i), a web-based administration console included with IBM i. The issue allows an authenticated user to bypass the application's HTTP security token protection by submitting manipulated MN token values. Successful exploitation can let an attacker perform actions the current user shouldn't be permitted to do within Navigator for i.

Key facts

Vulnerability type: HTTP security token bypass / weak token validation
Affected products: IBM Navigator for i (versions listed below)
CVSS v3.1 Base Score (reported): 4.3 (Medium)
CVE identifier: CVE-2024-51464
Disclosure timeline: vendor notified Oct 14 2024; vendor fix published Dec 20 2024; public disclosure Dec 27 2024
Vendor advisory: https://www.ibm.com/support/pages/node/7179509

Why this matters

Navigator for i uses an HTTP header token (named "MN" or "Mn") per session intended to protect against unauthorized or forged requests. The application’s token-generation and validation logic was insufficiently strict, allowing attackers to craft modified tokens (for example, padding a portion of the token) that the server still accepted. That weakness undermines the integrity of request validation and can result in privilege/operation bypass for authenticated users.

Affected versions and timeline

Affected	Versions
IBM Navigator for i	7.5.0, 7.4.0, 7.3.0
Vendor fix published	2024-12-20 (see IBM advisory)

Technical root cause

The Navigator code sets a numeric “magic number” value in the HTTP response header (MN). The validation routine checks that the MN from requests “matches” the session-associated MN. However, the matching logic did not cryptographically bind the value to the session or properly detect tampering — it accepted certain manipulated forms of the token (padding or small increments in the final digits), allowing malformed tokens to bypass the 403 Forbidden check.

High-level attack scenario (defensive description)

An attacker authenticates to Navigator for i legitimately (e.g., with valid user credentials) or uses a compromised account.
Using control of their HTTP requests, the attacker submits requests that include an MN header that has been altered in a way the vulnerable validation logic incorrectly accepts.
The server accepts the altered MN value and processes requests that the user should not be permitted to perform via the web console (e.g., management operations available in Navigator for i).

Impact

Because the web console is used for administrative and system management tasks, bypassing Navigator’s request integrity checks can enable privilege escalation within the scope of the authenticated account, unauthorized administrative operations, or configuration changes depending on the user’s rights.

Detection and indicators of compromise (defender-focused)

Unusual patterns of MN values in access logs — e.g., MN values with long runs of trailing zeros or near-identical values differing by small increments.
Requests that previously triggered 403 (for invalid MN) now returning 200 OK for altered MN values.
Unexpected administrative operations performed via the web console by accounts that normally do not use those features.

Example defensive queries (conceptual): search your web-access logs for suspect MN patterns or rapid MN changes. The examples below are for detection only and should be tuned to your environment.

index=web sourcetype=access_combined "MN=" | stats count BY MN | where match(MN, "\d{11}0{8}$")

Explanation: This Splunk-style query looks for MN header values that end with eight zeros (an indicator noted in published analysis). Use this only as a starting point and adapt to your access-log format and fields. Tuning for false positives is required.

Mitigation and remediation (recommended)

Apply vendor updates: Install the IBM patches and fixes published in the advisory (issued 2024-12-20). This is the primary remediation.
Restrict access to Navigator for i: Limit network access with allowlists (VPN, management VLANs, firewall rules) so the console isn’t exposed to general networks.
Harden authentication and accounts: Enforce strong passwords, multi-factor authentication where possible, and principle of least privilege for accounts that can access Navigator.
Use a Web Application Firewall (WAF): Add WAF rules that block malformed or suspicious MN header patterns and enforce stricter header value constraints until the patch is applied.
Audit and monitor: Increase logging of console operations, alert on anomalies, and review logs for sign of manipulated MN values or unexpected admin activity.
Session handling: Ensure session timeouts and re-authentication for sensitive operations, and avoid exposing session integrity tokens in places where they can be trivially altered.

Developer guidance — secure token design and validation

The core problem stems from trusting a plain numeric token and using weak matching logic. Tokens used to protect request integrity should be:

Cryptographically bound to the session (e.g., HMAC over session id and timestamp using a server-only secret).
Unpredictable and non-malleable (prevent attackers from creating valid variants by simple modification).
Validated using constant-time comparison to avoid timing attacks.
Checked for expected format, length, and freshness (timestamp/nonce replay protection).

Example: secure MN-style token generation and validation (server-side, Java pseudocode)

/* Secure token format: base64(sessionId + ":" + timestamp + ":" + hmac)
   HMAC = HMAC_SHA256(sessionId + ":" + timestamp, serverSecret)
   Validate by recomputing HMAC and using constant-time compare.
*/public String generateProtectedToken(String sessionId, byte[] serverSecret) {
    long ts = System.currentTimeMillis();
    String payload = sessionId + ":" + ts;
    byte[] mac = HmacSha256(serverSecret, payload.getBytes(StandardCharsets.UTF_8));
    String token = Base64.getUrlEncoder().withoutPadding()
                   .encodeToString((payload + ":" + Base64.getUrlEncoder().withoutPadding().encodeToString(mac)).getBytes(StandardCharsets.UTF_8));
    return token;
}

public boolean validateProtectedToken(String token, HttpSession session, byte[] serverSecret) {
    try {
        byte[] decoded = Base64.getUrlDecoder().decode(token);
        String parts = new String(decoded, StandardCharsets.UTF_8);
        String[] p = parts.split(":");
        if (p.length != 3) return false;
        String sessionId = p[0];
        long ts = Long.parseLong(p[1]);
        String macB64 = p[2];

        // Basic checks
        if (!session.getId().equals(sessionId)) return false;
        if (Math.abs(System.currentTimeMillis() - ts) > MAX_TOKEN_AGE_MS) return false;

        // Recompute HMAC and constant-time compare
        String payload = sessionId + ":" + ts;
        byte[] expectedMac = HmacSha256(serverSecret, payload.getBytes(StandardCharsets.UTF_8));
        byte[] providedMac = Base64.getUrlDecoder().decode(macB64);

        return MessageDigest.isEqual(expectedMac, providedMac); // constant-time compare
    } catch (Exception e) {
        return false;
    }
}

Explanation: This defensive pseudocode generates a token that binds the session ID and timestamp with an HMAC computed using a server-only secret. The token is base64-encoded for transport. Validation verifies session binding, timestamp freshness, and uses a constant-time comparison for the HMAC to prevent timing-based attacks. The design prevents trivial padding or incremental changes from producing a valid MAC.

Hardening existing Navigator installations (practical checklist)

Install IBM's published patch as the first priority.
Restrict the console’s network exposure: place it behind management-only networks and VPNs.
Use strong account controls and monitor for unusual web-console operations.
Deploy WAF rules to filter anomalous MN header patterns until the patch is applied.
Increase logging of header validation failures and generate alerts when anomalous patterns are detected.
Perform periodic security reviews and code audits for custom web components that rely on header tokens.

For incident responders

Collect and preserve web-access logs (including all headers) and server-side Navigator logs for affected timeframes.
Look for administrative actions performed by accounts outside normal schedules or that coincide with MN anomalies.
If compromise is suspected, rotate account credentials and revoke/reissue any session-related secrets where feasible.
Apply vendor patches and re-run access audits to confirm that unauthorized actions stopped after remediation.

References and further reading

IBM advisory: https://www.ibm.com/support/pages/node/7179509
Original advisory write-up: hyp3rlinx (author) — public disclosure (CVE-2024-51464)
Secure token patterns: use HMAC-based tokens, constant-time comparison, and timestamp/nonce checks

Summary

CVE-2024-51464 represents a logic/validation weakness in Navigator for i’s request-integrity token handling. The correct immediate action is to apply IBM’s security update, restrict access to management interfaces, and add detection and compensating controls while you patch. For developers, moving from simple numeric tokens to cryptographically signed tokens with strict format and freshness checks will prevent the class of bypass described by this vulnerability.