possible vulnerability in ipsec (AIX 4.3.3)

possible vulnerability in ipsec (AIX 4.3.3)

Post by Fred Huc » Thu, 24 Feb 2000 04:00:00



Hi folks,

I played around a bit with ipsec on two RS/6000. I made a tunnel from
one to the other. After some days, I saw in /etc/passwd (last line)

ipsec:*:238:1::/etc/ipsec:/usr/bin/ksh

Now the machines are NIS clients, and ipsec seem to have created a new
user on the two machines with the first free UID > 200.

The key files and other ipsec stuff resides under /etc/ipsec and is
owned by the user ipsec!

If now on the NIS server a new user is added, too, it will also get
the same UID! This new user can login to the machines with ipsec
installed and cd to /etc/ipsec, manipulating all key files.

Does anybody know how to report such a bug to IBM?

Have fun,

     Fred
--
Fred Hucht, Institute of Theoretical Physics, University of Duisburg, Germany

"Der Koerper der algebraischen Zahlen ist kein algebraischer Zahlkoerper"
(E. Landau, Zahlentheorie (1927), Satz 718)

 
 
 

possible vulnerability in ipsec (AIX 4.3.3)

Post by Bruce Elric » Thu, 24 Feb 2000 04:00:00


Hmm...

I would say that a number of applications create users using a number of
mechnisms, and someone using a distributed user database like NIS or DCE needs
to be aware of that and plan ahead; that is, don't start NIS users too low in
the UID space.

I know one shop that had DCE which used the following rules
UID 0-999 were local system-based users
This would include users such as this ipsec user that have no business being
on other machines (i.e. the ipsec user on one machine should have no
priviledges on another machine, even if it also has an ipsec user).  System
administrators did not need to worry about UID allocation being coordinated
among systems for this range (apart from root, I suppose).  These users used
the local system passwd files and did not coordinate passwords between systems
even if there were identical user names.

UID 1000-9999 were global systems/applications users.  Example is a particular
application needed a UID on a number of machines.  This includes system
applications.  These are under DCE control.

UID 10000+ for real global users. These are under DCE control.


> Hi folks,

> I played around a bit with ipsec on two RS/6000. I made a tunnel from
> one to the other. After some days, I saw in /etc/passwd (last line)

> ipsec:*:238:1::/etc/ipsec:/usr/bin/ksh

> Now the machines are NIS clients, and ipsec seem to have created a new
> user on the two machines with the first free UID > 200.

> The key files and other ipsec stuff resides under /etc/ipsec and is
> owned by the user ipsec!

> If now on the NIS server a new user is added, too, it will also get
> the same UID! This new user can login to the machines with ipsec
> installed and cd to /etc/ipsec, manipulating all key files.

When they log in and the local passwd file has UID 238, does this not short
circuit NIS?  That is, If login(3) finds a matching UID in /etc/passwd, will
it not use /etc/security/passwd's password (which surely the user on the other
system does not know, or login is disabled for that user like it is for
nobody)?  I thought NIS only kicks in if it fails to find the UID in
/etc/passwd and finds the NIS tag line at the bottom.

Quote:> Does anybody know how to report such a bug to IBM?

Use your normal problem reporting procedures (1-800-IBM-???? (SERV?)) and open
a PMR.  You can do this even if you don't have support entitlement; if it is a
bug then they don't charge.  However, you had better research the docs to see
if they talk about this and whether such behaviour is "working as designed"
(and it is the sys admin's responsibility to avoid such situations).  Also,
make sure that the user can actually log in as 'ipsec' and access those files
(you say they can but sometimes people say that but haven't tried it).

Cheers...
Bruce
--
Bruce Elrick, Ph.D.                       Saltus Technology Consulting Group