From:	SMTP%"dave@pbi.net" 27-SEP-1996 18:49:27.94
To:	EVERHART
CC:	
Subj:	BoS: Big SecurID Hole??

Resent-Date: Fri, 27 Sep 1996 18:55:51 +1000
Old-X-Envelope-From: dave@pbi.net  Fri Sep 27 09:26:21 1996
From: <dave@pbi.net> (David "I Just Work Here!")
Message-Id: <9609261618.ZM13036@nixon>
Date: Thu, 26 Sep 1996 16:18:14 -0700
X-Mailer: Z-Mail (3.2.1 10apr95)
To: best-of-security@suburbia.net
Cc: perl@pbi.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Approved: proff@suburbia.net
Resent-Message-ID: <"h-0W9.0.aU.LQvIo"@suburbia>
Resent-From: best-of-security@suburbia.net
X-Mailing-List: <best-of-security@suburbia.net> archive/latest/418
X-Loop: best-of-security@suburbia.net
Precedence: list
Resent-Sender: best-of-security-request@suburbia.net
Subject: BoS: Big SecurID Hole??

I recently undertook the task of upgrading our SecurID UNIX Aceserver
v1.3, running under SunOS 4.1.4 to Aceserver v2.2, running on a
Solaris 2.5 platform.

Credit goes to Richard Perlman for pointing making me aware of this
potential risk.

I took note of the instructions on setting up a client in the
'Distributing a Configuration Update' on p45 of the install guide:

	"4.	Type:	sdsetup -config
		This will install the new config file... Note that
		simply copying the file into ace/data is not sufficient."

We've tested that, and copying the file and _not_ running sdsetup works.

With this in mind:

The file permission are 777 on /usr/local/ace/data.  As such, any file in
this directory can be modified by _any_ user on the system, e.g. mv
files, rm files, replace valid files with trash data,
r e p l a c e   t h e   S D C O N F . R E C   f i l e   w/t h e i r
  own, move the 'secret' file to another name, etc.  This means that any
user can 1) disable authentication with a few keystrokes (by funking up a
file or two), and 2) potentially point the client's authentication
request to a different master or slave server (I haven't tried this, but
it looks possible).

Just food for thought.  Comments are welcome.

David L. Reoch  dave@pbi.net      ____  ___  _______
Tel  (415) 442-4928              |  _ \| _ \|__   __|   \ | /
(800) 4NE-TPBI                   |  __/|___/   | |     -->*<--
Fax  (415) 442-4999              | |   | _ \ __| |__    / | \
                                 |_|   |___/|_______|PacBellInternet