Date: Mon, 7 Dec 1998 13:59:39 -0500 From: Chip Christian <chip@PRINCETONTELE.COM> Subject: Interesting bug in SecurID software (fwd) To: BUGTRAQ@NETSPACE.ORG Forwarded with Drew's permission... Date: Mon, 30 Nov 1998 16:56:54 -0500 From: Drew Dean <ddean@CS.Princeton.EDU> Subject: Interesting bug in SecurID software I have a SecurID card for my Princeton Computer Science department account. The setup is that an old Sun, running SunOS 4.1.4, is running the SecurID software; you telnet to it, authenticate, and then rlogin to where you want to go. While this setup isn't perfect, the router hooking these machines to the outside world is setup to prevent spoofing, and the local network is deemed to be under reasonable control. A couple months ago, I logged in, and tried to rlogin to the workstation on my (former) desk. It said, "Not on system console." Funny, it only says that if you attempt to rlogin as root. I looked a little more closely, noticed a # prompt, and /usr/bin/id reported that I was UID 0. Hmmm. I had logged in as myself, and gotten a root shell on the SecurID server! How bizarre.... The head system administrator also received a root shell after logging in as himself. Further investigation yielded that our entries in /etc/passwd were of the form +<username>:::::: i.e., to get our information from NIS. However, due to a pending network reconfiguration, the machine was temporarily not using NIS, and no ypbind was running. It appears that the SecurID software didn't check the return value, and used a default value of 0. (The SecurID software keeps a separate database for its authentication information.) This raises interesting questions about a denial of service attack escalating to a root compromise (for local users; you need a SecurID card to login with). I do not have the time or facilities handy to investigate further. In Security Dynamics defense, this software is more than 3 years old, and hasn't been updated because it otherwise works fine. (I can't find any version numbers in it). Security Dynamics has been notified. Drew Dean <ddean@cs.princeton.edu>