Full Disclosure mailing list archives
Re: Re: Re[3]: RSA SecurID SID800 Token vulnerable by design
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Mon, 11 Sep 2006 20:37:47 +0400
Dear Brian Eaton, --Monday, September 11, 2006, 7:35:08 PM, you wrote to 3APA3A () security nnov ru:
Network is compromised as long as attacker keeps control under compromised host regardless of authentication. And sometimes longer.
BE> - the spyware has access to the web mail system for as long as the BE> token is in the machine BE> - once the token is removed, the spyware can continue accessing the BE> web mail system until the web mail system session expires BE> So the damage is limited to what is stolen during the session, while BE> with a password-only system the account could be used for an BE> indefinite time period, i.e. until password change. Not exactly. As you said, token will be used for initial authentication, but cookie will be used for session tracking. Everything depends on cookie expiration time and how it's implemented. If cookie never expires, or expiration time is long enough to keep session between user logons to Web mail - intruder can keep using session with same cookie. If IP is not checked for cookie - intruder can use cookie offline from his host. If IP is controlled, but cookie is automatically refreshed or expiration time is high, intruder can use compromised host as a 'bot' to keep session alive, even after user logoff. Intruder can redirect client's traffic to his own host and use it as a proxy to web mail, to keep session from his host to web mail after user finishes. A lot of different scenarios to keep session after token is removed. -- ~/ZARAZA http://www.security.nnov.ru/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RSA SecurID SID800 Token vulnerable by design Hadmut Danisch (Sep 07)
- Re: RSA SecurID SID800 Token vulnerable by design Matthew Leeds (Sep 08)
- Re: RSA SecurID SID800 Token vulnerable by design Bojan Zdrnja (Sep 08)
- Re: RSA SecurID SID800 Token vulnerable by design 3APA3A (Sep 09)
- Re: Re: RSA SecurID SID800 Token vulnerable by design Brian Eaton (Sep 09)
- Re[3]: RSA SecurID SID800 Token vulnerable by design 3APA3A (Sep 11)
- Re: Re[3]: RSA SecurID SID800 Token vulnerable by design Brian Eaton (Sep 11)
- Re[5]: RSA SecurID SID800 Token vulnerable by design 3APA3A (Sep 11)
- Re: Re: Re[3]: RSA SecurID SID800 Token vulnerable by design 3APA3A (Sep 11)
- Re: Re: RSA SecurID SID800 Token vulnerable by design Brian Eaton (Sep 09)
- Re: RSA SecurID SID800 Token vulnerable by design Bojan Zdrnja (Sep 09)
- RE: Re: RSA SecurID SID800 Token vulnerable by design Lyal Collins (Sep 09)
- Re: Re: RSA SecurID SID800 Token vulnerable by design Brian Eaton (Sep 09)
- Re: Re: RSA SecurID SID800 Token vulnerable by design Bojan Zdrnja (Sep 11)
- Re[2]: RSA SecurID SID800 Token vulnerable by design 3APA3A (Sep 11)
- <Possible follow-ups>
- RE: RSA SecurID SID800 Token vulnerable by design Gaidosch, Tamas (Sep 11)
- Re: RSA SecurID SID800 Token vulnerable by design Vin McLellan (Sep 13)
- Re: RSA SecurID SID800 Token vulnerable by design Brian Eaton (Sep 14)