RE: Nokia IPSO Vulnerability

[<Iain.King () nokia com>]

Hi,
        This is similar in effect to a previous so called vulnerability in IPSO.
        The previous case was a buffer overflow on voyager -requiring- an authenticated 
        user.
        It is true that master.passwd on other systems is (and should be in IPSO) mode 600.
        In effect however, it is that you require authenticated (default disabled)access to 
        the box in the first place.. just to view it. 

        It is   not advisable to chmod 600 it however if you are :

        a) paranoid and dont trust your own authenticated users.

        and/or  

        b) you dont want to use voyager.

        Then go ahead, but voyager will not be usable (can't login).

        Noone should allow access to untrusted or unauthenticated users to
        their firewalls in the firstplace. Anyone who allows unrestricted access
        to the web server from anywhere shouldn't be working in security IMHO.

        The Nokia incident response team has been made aware of this issue and you
        should expect a fix/patch shortly. Valdis, The most valuable file would
        definatly have to be the initial, inetd.conf ... should be blank.

cheers,
        Iain

-----Original Message-----
From: ext Jorge Merlino [mailto:jmerlino () easynet com uy]
Sent: 24 April, 2003 21:49
To: Valdis.Kletnieks () vt edu
Subject: RE: Nokia IPSO Vulnerability 


1) If a user enters the right password in the voyager login window she is
*authenticated to use the system* IMHO. Besides I don't think anyone
reasonable allows unrestricted access to the voyager web page from the
internet.

2) As I said before, that only works for a+r files, not every file on the
system.

Regards,
        Jorge

-----Original Message-----
From: ext Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
Sent: 24 April, 2003 20:43
To: Jorge Merlino
Subject: Re: Nokia IPSO Vulnerability 


On Thu, 24 Apr 2003 13:32:50 -0300, Jorge Merlino <jmerlino () easynet com uy>  said:
> I don't think that is a vulnerability.
> The file /etc/master.passwd has read access for all users. Monitor can also
> read it in a ssh session.

1) It being readable to all users *authorized to use the system* is different
from it being readable to any bozo on the entire Internet.

2) /etc/master.password is used as a *Proof of Concept*.  Feel free to
substitute any other file that might be more damaging to have.  Hmm.. it
might be nice to snarf a copy of /etc/inetd.conf, see what's enabled.. or
maybe I want to grab a copy of.....


-----Original Message-----
From: ext Damieon Stark [mailto:visigoth () securitycentric com]
Sent: 24 April, 2003 21:35
To: Jorge Merlino
Subject: Re: Nokia IPSO Vulnerability


On Thu, Apr 24, 2003 at 01:32:50PM -0300, Jorge Merlino wrote:
> I don't think that is a vulnerability.
> The file /etc/master.passwd has read access for all users. Monitor can also
> read it in a ssh session.
> I you try that URL in a file with, let's say, 660 permissions you get a
> blank page.

Ummm...  What am I missing here?  Does it seem _crazy_ to anybody else that
the permissions on the file containing some of the most sensitive information
on the system would have read access to all users?  This is clearly NOT
the default on any of the BSD systems (including the one from which IPSO is
derived) that I am aware of.

Can anybody else confirm the permissions required to read the file?  Can
anybody else confirm that the /etc/master.passwd file is a+r?

I would have to call this a vulnerability either way....

-visigoth