[12817] in bugtraq
Re: Microsoft Security Bulletin (MS99-051) (fwd)
daemon@ATHENA.MIT.EDU (Kris Kennaway)
Thu Dec 2 14:00:30 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.21.9912012014310.52288-100000@hub.freebsd.org>
Date: Wed, 1 Dec 1999 20:17:44 -0800
Reply-To: Kris Kennaway <kris@HUB.FREEBSD.ORG>
From: Kris Kennaway <kris@HUB.FREEBSD.ORG>
X-To: David LeBlanc <dleblanc@MINDSPRING.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3.0.3.32.19991130095514.04e5aa40@mail.mindspring.com>
On Tue, 30 Nov 1999, David LeBlanc wrote:
> >Regardless of that, how does the patch stop malicious users from
> >producing AT jobs that have valid signatures and putting them in place?
>
> The signature is based on a unique certificate that is stored in the
> private data, and only admins can access the certificate. So your
> requirement to use this method (post-fix) to become admin is to be admin.
Replay attack? I read the patch description as saying that it stores a
signature in the file containing the AT job, which is verified at
execution time. If you can read the job file as another user, you may be
able to resubmit the same job multiple times, if the signature doesn't
include data which is instance-specific (e.g. the job ID).
Kris
