| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Apr 2003 01:05:07 +0300 From: <Iain.King@...ia.com> To: <visigoth@...uritycentric.com>, <jmerlino@...ynet.com.uy>, <Valdis.Kletnieks@...edu> Subject: RE: Nokia IPSO Vulnerability Hi, This is similar in effect to a previous so called vulnerability in IPSO. The previous case was a buffer overflow on voyager -requiring- an authenticated user. It is true that master.passwd on other systems is (and should be in IPSO) mode 600. In effect however, it is that you require authenticated (default disabled)access to the box in the first place.. just to view it. It is not advisable to chmod 600 it however if you are : a) paranoid and dont trust your own authenticated users. and/or b) you dont want to use voyager. Then go ahead, but voyager will not be usable (can't login). Noone should allow access to untrusted or unauthenticated users to their firewalls in the firstplace. Anyone who allows unrestricted access to the web server from anywhere shouldn't be working in security IMHO. The Nokia incident response team has been made aware of this issue and you should expect a fix/patch shortly. Valdis, The most valuable file would definatly have to be the initial, inetd.conf ... should be blank. cheers, Iain -----Original Message----- From: ext Jorge Merlino [mailto:jmerlino@...ynet.com.uy] Sent: 24 April, 2003 21:49 To: Valdis.Kletnieks@...edu Subject: RE: Nokia IPSO Vulnerability 1) If a user enters the right password in the voyager login window she is *authenticated to use the system* IMHO. Besides I don't think anyone reasonable allows unrestricted access to the voyager web page from the internet. 2) As I said before, that only works for a+r files, not every file on the system. Regards, Jorge -----Original Message----- From: ext Valdis.Kletnieks@...edu [mailto:Valdis.Kletnieks@...edu] Sent: 24 April, 2003 20:43 To: Jorge Merlino Subject: Re: Nokia IPSO Vulnerability On Thu, 24 Apr 2003 13:32:50 -0300, Jorge Merlino <jmerlino@...ynet.com.uy> said: > I don't think that is a vulnerability. > The file /etc/master.passwd has read access for all users. Monitor can also > read it in a ssh session. 1) It being readable to all users *authorized to use the system* is different from it being readable to any bozo on the entire Internet. 2) /etc/master.password is used as a *Proof of Concept*. Feel free to substitute any other file that might be more damaging to have. Hmm.. it might be nice to snarf a copy of /etc/inetd.conf, see what's enabled.. or maybe I want to grab a copy of..... -----Original Message----- From: ext Damieon Stark [mailto:visigoth@...uritycentric.com] Sent: 24 April, 2003 21:35 To: Jorge Merlino Subject: Re: Nokia IPSO Vulnerability On Thu, Apr 24, 2003 at 01:32:50PM -0300, Jorge Merlino wrote: > I don't think that is a vulnerability. > The file /etc/master.passwd has read access for all users. Monitor can also > read it in a ssh session. > I you try that URL in a file with, let's say, 660 permissions you get a > blank page. Ummm... What am I missing here? Does it seem _crazy_ to anybody else that the permissions on the file containing some of the most sensitive information on the system would have read access to all users? This is clearly NOT the default on any of the BSD systems (including the one from which IPSO is derived) that I am aware of. Can anybody else confirm the permissions required to read the file? Can anybody else confirm that the /etc/master.passwd file is a+r? I would have to call this a vulnerability either way.... -visigoth
Powered by blists - more mailing lists