[LWN Logo]

Date:	Mon, 7 Dec 1998 13:59:39 -0500
From:	Chip Christian <chip@PRINCETONTELE.COM>
Subject:      Interesting bug in SecurID software (fwd)
To:	BUGTRAQ@NETSPACE.ORG

Forwarded with Drew's permission...

        Date: Mon, 30 Nov 1998 16:56:54 -0500
        From: Drew Dean <ddean@CS.Princeton.EDU>
        Subject: Interesting bug in SecurID software

I have a SecurID card for my Princeton Computer Science department account.
The setup is that an old Sun, running SunOS 4.1.4, is running the SecurID
software; you telnet to it, authenticate, and then rlogin to where you want
to go.  While this setup isn't perfect, the router hooking these machines to
the outside world is setup to prevent spoofing, and the local network is
deemed to be under reasonable control.

A couple months ago, I logged in, and tried to rlogin to the workstation on
my (former) desk.  It said, "Not on system console."  Funny, it only says
that if you attempt to rlogin as root.  I looked a little more closely,
noticed a # prompt, and /usr/bin/id reported that I was UID 0.  Hmmm.  I had
logged in as myself, and gotten a root shell on the SecurID server!  How
bizarre....  The head system administrator also received a root shell after
logging in as himself.

Further investigation yielded that our entries in /etc/passwd were of the
form +<username>:::::: i.e., to get our information from NIS.  However, due
to a pending network reconfiguration, the machine was temporarily not using
NIS, and no ypbind was running.  It appears that the SecurID software didn't
check the return value, and used a default value of 0.  (The SecurID
software keeps a separate database for its authentication information.)
This raises interesting questions about a denial of service attack
escalating to a root compromise (for local users; you need a SecurID card to
login with).  I do not have the time or facilities handy to investigate
further.

In Security Dynamics defense, this software is more than 3 years old, and
hasn't been updated because it otherwise works fine.  (I can't find any
version numbers in it).

Security Dynamics has been notified.

Drew Dean <ddean@cs.princeton.edu>