eTrust Access Control (formerly SeOS) default installation vulnerable to root level compromise
In working with eTrust Access Control(SeOS) we found that the default installation can be compromised in order to gain root access to the machines. The attacker is required to be on the same network as the SeOS database and know some basic information that can be easily gathered through well know info gathering techniques.
SeOS is a host based access control utility which runs on Unix and WinNT and provides granular control to files and resources on the operating system based on access rules stored in a local database. Internally, SeOS operates by intercepting system calls at the kernel and checks the request against the local SeOS database.
SeOS does a fair bit to protect its own resources and getting into a discussion on that is beyond the scope of this posting.
SeOS allows remote management of the local database from other systems where SeOS has been installed and here is where the system might be compromised.
Updates to the SeOS database require both of the following conditions to be set 1. Access to Administer the database and 2. Administration permissions from a specific terminal(machine)
Thus SeOS can be setup to accept remote updates to the SeOS database from authenticated users and from selected machines. The same condition must be true to update a remote database.
The remote database of a SeOS machine can be compromised and made to accept updates from the attacker when the attacker connects to the database masquerading as a legitimate administrator.
Steps 1. Attacker machine runs a default installation of SeOS and runs under the same account name as the remote Administrator.
Attacker machine assumes the same name and IP address as administration terminal.
Attacker connects to the local database of the Attacker machine and later connects to the Remote database using the following command host <remote_database>@<attacked_machine>
The Attacker can now administer SeOS which also allows creation of new accounts on the operating system
The Attacker is easily able to impersonate the remote administrator even though the traffic is designed to be encrypted. This is because the encryption key is know to the attacker(default key is available on the eTrust CD ROM). It is our understanding that most of the SeOS implementation today still use the default key making these systems easily compromised.
In order to protect against such an attack, it is recommended that the default encryption key be changes during installation. Even though the default installation does not require this, it is recommended that the encryption key be changed on all SeOS hosts.
Sanjay Venkateswarulu iTradeFair.com Stillwater OK
Mike Madero Ernst and Young LLP Dallas