Firewalls: Re: System Security

Firewalls
(October 1993)

Indexed By Thread: [Previous] [Next]

Subject:	Re: System Security
From:	Bob Dew <rdew @ alw . nih . gov>
Date:	Wed, 27 Oct 1993 19:12:34 -0400 (EDT)
To:	richard @ wizard . ucs . sfu . ca (Richard Chycoski)
Cc:	Firewalls @ greatcircle . com
In-reply-to:	<9310270608 . AA03779 @ wizard . ucs . sfu . ca>
References:	<9310270608 . AA03779 @ wizard . ucs . sfu . ca>

Excerpts from Firewalls: 26-Oct-93 Re: System Security Richard
Chycoski @
 wizard .
  (3341)


> Core dumps are a favourite mode of attack used to extract Kerberos tokens
> on a shared machine. One reference - a paper by Peter Honeyman presented
> at the '92 Winter Usenix in San Francisco. I'll extract the appropriate
> paragraphs for you if you'd like - I had a chance to talk to Peter
> about this, and even he stated that Kerberos is still not secure on a 
> shared Unix platform. Other platforms that do not make the tokens available
> via mechanisms such as core dumps may be more secure. Also, as I understand
> it, it isn't easy to recover the tokens from the core dump, but it is still
> possible to do it. (And as another contributor put it - AFS with Kerberos
> looks like Fort Knox compared to NFS/NIS, a sentiment that I agree with
> wholeheartedly.)


Are core dumps really a favorite attack mechanism, or is this more or
less an urban legend that has propagated from somebody's talk?  I know
that people have found tokens by examining core dumps  (this was
demonstrated at conference recently), but has anyone actually used this
information to gain unauthorized access to a system?

Lets say you've attained a core dump, somehow, and you've searched it
and isolated a token. Then what?  What would you do with a token if you
had one?  Call it your own, somehow, and insert it back into the kernel
and begin using it?  How? Would you try to de-crypt it?  (Tokens are DES
encrypted).  Whatever you attempted, you'd need to hurry, because most
user tokens live for at most 25 hours.  Moreover, AFS tokens are tied to
a process, not to a userid. When the process dies, the token dies along
with it.  If you create a new process (lets say a login shell), the mere
fact of having a valid token -- even if you are the legitimate owner and
current user of it -- won't help you in authenticating the new process. 
Users need to request new tokens for each UNIX process that starts
outside of the original UNIX process authentication group (PAG). 
Nothing in the world will allow a second user to steal somebody's
PAG-associated tokens and begin using them.

I'm really curious why you think its easy, or even doable, to break into
AFS on multiuser hosts.  Sure, you could site poor kerberos
implementations that common users can crack.  But so what?  Does that
mean all kerberos implementations are insecure?

Making a blanket statement and siting as fact that AFS is insecure on
multiuser systems doesn't sit well with me.  I'll admit to having heard
some stories too...like the Doberman with the finger in its throat ...  
:-)

Thanks,

-Bob

Follow-Ups:

Re: System Security
From: "Perry E. Metzger" <pmetzger @ lehman . com>

References:

Re: System Security
From: richard @ wizard . ucs . sfu . ca (Richard Chycoski)

Indexed By Date	Previous:	Re: CERT and information From: Tom Fitzgerald <fitz @ wang . com>
Indexed By Date	Next:	Re: System Security From: Bob Dew <rdew @ alw . nih . gov>
Indexed By Thread	Previous:	Re: System Security From: Bob Dew <rdew @ alw . nih . gov>
Indexed By Thread	Next:	Re: System Security From: "Perry E. Metzger" <pmetzger @ lehman . com>