COMMAND

    eTrust Access Control (formerly SeOS)

SYSTEMS AFFECTED

    eTrust Access Control

PROBLEM

    Sanjay Venkat  found following.   eTrust Access  Control (formerly
    SeOS) default  installation vulnerable  to root  level compromise.
    In working with eTrust Access Control(SeOS) Sanjay found that  the
    default  installation  can  be  compromised  in order to gain root
    access to the  machines.  The  attacker is required  to be on  the
    same network as the SeOS database and know some basic  information
    that  can  be  easily  gathered  through  well know info gathering
    techniques.

    SeOS is  a host  based access  control utility  which runs on Unix
    and WinNT and provides granular control to files and resources  on
    the  operating  system  based  on  access  rules stored in a local
    database.  Internally, SeOS operates by intercepting system  calls
    at  the  kernel  and  checks  the  request  against the local SeOS
    database.

    SeOS does a fair bit to protect its own resources and getting into
    a discussion on that is beyond the scope of this posting.

    SeOS allows  remote management  of the  local database  from other
    systems where SeOS has been installed and here is where the system
    might be compromised.

    Updates  to  the  SeOS  database  require  both  of  the following
    conditions to be set

        1. Access to Administer the database and
        2. Administration permissions from a specific terminal(machine)

    Thus  SeOS  can  be  setup  to  accept  remote updates to the SeOS
    database from authenticated users and from selected machines.  The
    same condition must be true to update a remote database.

    The remote database of a SeOS machine can be compromised and  made
    to accept updates from the attacker when the attacker connects  to
    the database masquerading as a legitimate administrator.

    Steps:
    1. Attacker machine runs a  default installation of SeOS and  runs
       under the same account name as the remote Administrator.
    2. Attacker  machine  assumes  the  same  name  and IP address  as
       administration terminal.
    3. Attacker connects to the local database of the Attacker machine
       and later connects to  the Remote database using  the following
       command host <remote_database>@<attacked_machine>
    4. The Attacker can now administer SeOS which also allows creation
       of new accounts on the operating system

SOLUTION

    The  Attacker   is  easily   able  to   impersonate  the    remote
    administrator even though the traffic is designed to be encrypted.
    This  is  because  the  encryption  key  is  know  to the attacker
    (default key is available  on the eTrust CD  ROM).  *most* of  the
    SeOS implementation today still  use the default key  making these
    systems easily compromised.

    In order  to protect  against such  an attack,  it is  recommended
    that the  default encryption  key be  changes during installation.
    Even though the default installation does not require this, it  is
    recommended that the encryption key be changed on all SeOS hosts.