Re: Re[3]: RSA SecurID SID800 Token vulnerable by design

To: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Subject: Re: Re[3]: RSA SecurID SID800 Token vulnerable by design
From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
Date: Mon, 11 Sep 2006 11:35:08 -0400
Cc: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=b/bSRFTjsMseTEDgXHa4hzcrqr6+iYwpJug5ama5f/X83PP8pADu5FlkWWJkSLW08kdX5XRl07QrK9DO8zZ9b5OhI3HfeHK6D3EStAS+8BqvbVNRT5xNKUfqoij4CaPuua8W0MO6HJXmIOBU+3QlufhsoDolIdrcbzIGSD2zUQY=
In-reply-to: <1818570628.20060911185526@xxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20060907184952.GA11869@xxxxxxxxxx> <947164686.20060909134155@xxxxxxxxxxxxxxxx> <242a0a8f0609090712pc5774cah6780baa50b9d761e@xxxxxxxxxxxxxx> <1818570628.20060911185526@xxxxxxxxxxxxxxxx>

On 9/11/06, 3APA3A <3APA3A@xxxxxxxxxxxxxxxx> wrote:

BE> Two-factor  auth cannot be said to make accessing the network from a
BE> compromised  PC  "safe". That does not make two-factor auth useless.
BE> With  plain  passwords, once the attacker has the password, they can
BE> access  the  network  at will. With two-factor auth, they can access
BE> the network for a much more limited time span.

Network   is  compromised  as  long  as  attacker  keeps  control  under
compromised host regardless of authentication. And sometimes longer.


I think we're talking about different kinds of environments and
authentication schemes.  The example I had in mind was this one:

- corporate web mail system requires two-factor auth for access
- employee accesses the web mail system from a friend's machine that
is loaded with spyware, authenticating using their token.
- the spyware has access to the web mail system for as long as the
token is in the machine
- once the token is removed, the spyware can continue accessing the
web mail system until the web mail system session expires

So the damage is limited to what is stolen during the session, while
with a password-only system the account could be used for an
indefinite time period, i.e. until password change.

<snip NTLM example>

It  means,  if  authentication schema is NTLM-compatible (it must be for
compatibility with pre-Windows 2000 hosts and some network applications,
like  Outlook  Express),  attacker can use compromised account to access
network  resources  without  having  access  to  2-factor authentication
device.  How  long  he  can  retain  this  access  depends  on how often
account's  NT key is changed (usually with password change, but actually
depends on implementation of authentication system and may be never).


Is this RSA whitepaper an example of what you are talking about?

http://tinyurl.com/pb5n7

The whitepaper refers to Kerberos tickets, but the mechanism sounds
like it could work with NTLM as well.

I think the situation you are pointing out is where an authentication
process requires an initial two-factor authentication, but then issues
some kind of session key that takes a very long time to expire.  That
would seem to defeat the purpose of the two-factor auth.

Regards,
Brian

Follow-Ups:
- Re[5]: RSA SecurID SID800 Token vulnerable by design
  - From: 3APA3A

References:
- RSA SecurID SID800 Token vulnerable by design
  - From: Hadmut Danisch
- Re: RSA SecurID SID800 Token vulnerable by design
  - From: 3APA3A
- Re: [Full-disclosure] Re: RSA SecurID SID800 Token vulnerable by design
  - From: Brian Eaton
- Re[3]: RSA SecurID SID800 Token vulnerable by design
  - From: 3APA3A

Prev by Date: Sql injection in Tikiwiki
Next by Date: WTools v0.0.1-ALPH - Remote File Include Vulnerabilities
Previous by thread: Re[3]: RSA SecurID SID800 Token vulnerable by design
Next by thread: Re[5]: RSA SecurID SID800 Token vulnerable by design
Index(es):
- Date
- Thread