[2989] in Kerberos
Re: ksu
daemon@ATHENA.MIT.EDU (Scott Dawson)
Thu Jan 27 17:32:48 1994
To: Derek Atkins <warlord@MIT.EDU>
Cc: sdawson@engin.umich.edu, kerberos@MIT.EDU
In-Reply-To: Your message of "Wed, 26 Jan 1994 16:11:25 EST."
Date: Thu, 27 Jan 1994 17:09:51 -0500
From: Scott Dawson <sdawson@engin.umich.edu>
-----Your message-----
> Hi.
>
> There are two holes that I know of in ksu. The first is that if there
> is no rcmd ticket, a successful root ticket will let you in, and
> second, it is possible to spoof a principal and rcmd ticket, and it
> will let you in. I know of no patches for these holes.
>
> The second attack is slightly more difficult than the first.
>
> -derek
>
>
-----End of your message-----
Ok. I see the first hole. No problem, though. It's an easy fix.
I don't see the second one though. It looks like once the rcmd ticket
is gotten, there is a call to krb_rd_req to verify the ticket using
the key in /etc/srvtab. If you spoofed the rcmd ticket, wouldn't the
krb_rd_req fail thus causing the su to fail? If you could muck the
srvtab file, you're presumably already root anyway...
Thanks,
-Scott
