eTrust Access Control - Root compromise for default install

[Sanjay Venkat <sanjay () ITRADEFAIR COM>]

eTrust Access Control (formerly SeOS) default installation vulnerable to
root level compromise


In working with eTrust Access Control(SeOS) we found that the default
installation can be compromised in order to gain root access to the
machines. The attacker is required to be on the same network as the SeOS
database and know some basic information that can be easily gathered through
well know info gathering techniques.

Introduction
============
SeOS is a host based access control utility which runs on Unix and WinNT and
provides granular control to files and resources on the operating system
based on access rules stored in a local database. Internally, SeOS operates
by intercepting system calls at the kernel and checks the request against
the local SeOS database.

SeOS does a fair bit to protect its own resources and getting into a
discussion on that is beyond the scope of this posting.

SeOS allows remote management of the local database from other systems where
SeOS has been installed and here is where the system might be compromised.

In depth introduction on remote updates to the SeOS database
=============================================================
Updates to the SeOS database require both of the following conditions to be
set
1. Access to Administer the database and
2. Administration permissions from a specific terminal(machine)

Thus SeOS can be setup to accept remote updates to the SeOS database from
authenticated users and from selected machines. The same condition must be
true to update a remote database.

The weakness
============
The remote database of a SeOS machine can be compromised and made to accept
updates from the attacker when the attacker connects to the database
masquerading as a legitimate administrator.

Steps
1. Attacker machine runs a default installation of SeOS and runs under the
same account name as the remote Administrator.

2. Attacker machine assumes the same name and IP address as administration
terminal.

3. Attacker connects to the local database of the Attacker machine and later
connects to the Remote database using the following command
 host <remote_database>@<attacked_machine>

4. The Attacker can now administer SeOS which also allows creation of new
accounts on the operating system


The Fix
=======
The Attacker is easily able to impersonate the remote administrator even
though the traffic is designed to be encrypted. This is because the
encryption key is know to the attacker(default key is available on the
eTrust CD ROM). It is our understanding that *most* of the SeOS
implementation today still use the default key making these systems easily
compromised.

In order to protect against such an attack, it is recommended that the
default encryption key be changes during installation. Even though the
default installation does not require this, it is recommended that the
encryption key be changed on all SeOS hosts.


Sanjay Venkateswarulu
iTradeFair.com
Stillwater OK

Mike Madero
Ernst and Young LLP
Dallas