lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E67D132C4F03964BA25EFB33D8B44C8001FFEEF2@esebe001>
Date: Fri, 25 Apr 2003 01:05:07 +0300
From: <Iain.King@...ia.com>
To: <visigoth@...uritycentric.com>, <jmerlino@...ynet.com.uy>,
	<Valdis.Kletnieks@...edu>
Subject: RE: Nokia IPSO Vulnerability


Hi,
	This is similar in effect to a previous so called vulnerability in IPSO.
	The previous case was a buffer overflow on voyager -requiring- an authenticated 
	user.
	It is true that master.passwd on other systems is (and should be in IPSO) mode 600.
	In effect however, it is that you require authenticated (default disabled)access to 
	the box in the first place.. just to view it. 

	It is	not advisable to chmod 600 it however if you are :

	a) paranoid and dont trust your own authenticated users.

	and/or	

	b) you dont want to use voyager.

	Then go ahead, but voyager will not be usable (can't login).

	Noone should allow access to untrusted or unauthenticated users to
	their firewalls in the firstplace. Anyone who allows unrestricted access
	to the web server from anywhere shouldn't be working in security IMHO.

	The Nokia incident response team has been made aware of this issue and you
	should expect a fix/patch shortly. Valdis, The most valuable file would
	definatly have to be the initial, inetd.conf ... should be blank.

cheers,
	Iain

-----Original Message-----
From: ext Jorge Merlino [mailto:jmerlino@...ynet.com.uy]
Sent: 24 April, 2003 21:49
To: Valdis.Kletnieks@...edu
Subject: RE: Nokia IPSO Vulnerability 


1) If a user enters the right password in the voyager login window she is
*authenticated to use the system* IMHO. Besides I don't think anyone
reasonable allows unrestricted access to the voyager web page from the
internet.

2) As I said before, that only works for a+r files, not every file on the
system.

Regards,
	Jorge

-----Original Message-----
From: ext Valdis.Kletnieks@...edu [mailto:Valdis.Kletnieks@...edu]
Sent: 24 April, 2003 20:43
To: Jorge Merlino
Subject: Re: Nokia IPSO Vulnerability 


On Thu, 24 Apr 2003 13:32:50 -0300, Jorge Merlino <jmerlino@...ynet.com.uy>  said:
> I don't think that is a vulnerability.
> The file /etc/master.passwd has read access for all users. Monitor can also
> read it in a ssh session.

1) It being readable to all users *authorized to use the system* is different
from it being readable to any bozo on the entire Internet.

2) /etc/master.password is used as a *Proof of Concept*.  Feel free to
substitute any other file that might be more damaging to have.  Hmm.. it
might be nice to snarf a copy of /etc/inetd.conf, see what's enabled.. or
maybe I want to grab a copy of.....


-----Original Message-----
From: ext Damieon Stark [mailto:visigoth@...uritycentric.com]
Sent: 24 April, 2003 21:35
To: Jorge Merlino
Subject: Re: Nokia IPSO Vulnerability


On Thu, Apr 24, 2003 at 01:32:50PM -0300, Jorge Merlino wrote:
> I don't think that is a vulnerability.
> The file /etc/master.passwd has read access for all users. Monitor can also
> read it in a ssh session.
> I you try that URL in a file with, let's say, 660 permissions you get a
> blank page.

Ummm...  What am I missing here?  Does it seem _crazy_ to anybody else that
the permissions on the file containing some of the most sensitive information
on the system would have read access to all users?  This is clearly NOT
the default on any of the BSD systems (including the one from which IPSO is
derived) that I am aware of.

Can anybody else confirm the permissions required to read the file?  Can
anybody else confirm that the /etc/master.passwd file is a+r?

I would have to call this a vulnerability either way....

-visigoth





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ