I released the following to CERT and then realized it was probably not the best place for this issue as the vulnerability is more local network and workstation than Internet. They have not responded within the last 5 days and so I'm forwarding the CERT submission form to SecurityFocus. Vulnerability submission: CONTACT INFORMATION ========================================================================== Let us know who you are: Name : Paul A Roberts E-mail : proberts@teleport.com paul.a.roberts@state.or.us Phone / fax : (503)581-1881 / (503)945-6443 Affiliation and address: Oregon Department of Human Services 500 Summer St. NE -- NDS 5th Floor Salem, OR 97301 Have you reported this to the vendor? YES If so, please let us know whom you've contacted: Date of your report : 02/02/02 Vendor contact name : Rob Roy Vendor contact phone : 408-335-1400 Vendor contact e-mail : rroy@identix.com Vendor reference number : 020502-1015a If not, we encourage you to do so--vendors need to hear about vulnerabilities from you as a customer. POLICY INFO ========================================================================== We encourage communication between vendors and their customers. When we forward a report to the vendor, we include the reporter's name and contact information unless you let us know otherwise. If you want this report to remain anonymous, please check here: ___ Do not release my identity to your vendor contact. TECHNICAL INFO ========================================================================== If there is a CERT Vulnerability tracking number please put it here (otherwise leave blank): VU#______. Please describe the vulnerability. --------------------------------- What is the impact of this vulnerability? ---------------------------------------- (For example: local user can gain root/privileged access, intruders can create root-owned files, denial of service attack, etc.) a) What is the specific impact: The BioLogon 3 software is designed to provide 3-factor authentication. Fingerprint, Smart Card, Password. All three authentications can be bypassed at the login GINA. b) How would you envision it being used in an attack scenario: An individual with physical access to a laptop or workstation can gain System privileges without authenticating in order to obtain, alter, remove, data or to install a backdoor. To your knowledge is the vulnerability currently being exploited? ---------------------------------------------------------------- NO If there is an exploitation script available, please include it here. -------------------------------------------------------------------- Sample exploit: At an XP or NT login the operator presses CTRL-ALT-DEL. The GINA option "More" can then be selected. For XP, Configure / Sounds is then selected. An event can then be selected and "Browse" initiated. Once Browse is initiated System level explorer access is granted. Files can be copied to removable media or files can be imported from removable media to local locations such as startup folders. Properties can be altered and files removed or added. NT 4 behaves much the same with minor menu differences. Do you know what systems and/or configurations are vulnerable? ------------------------------------------------------------- YES (If yes, please list them below) I've only tested 'secure' MS systems (not Win9x or any other potential platforms). System : Microsoft Windows BioLogon 3 Build (11106) OS version : XP Professional / NT 4 / (2000 guess) Verified/Guessed: Verified Are you aware of any workarounds and/or fixes for this vulnerability? -------------------------------------------------------------------- YES (If you have a workaround or are aware of patches please include the information here.) Identix has not updated their web site as of yet or added a customer download to address this vulnerability. They were very responsive in providing a patched DLL file via e-mail once they were made aware of the vulnerability. The DLL replaces the install version of "Itlogonx.dll". This resolves the issue on XP Professional and on NT 4 (assume 2000 as well). OTHER INFORMATION ========================================================================== = Is there anything else you would like to tell us? Identix indicated they would add this vulnerability to their FAQ and a fix in the next release. Due to the severity of the hole on an unpatched system I believe this should be indexed as soon as possible. I believe with the patch they are ready to handle this situation, though, as noted, it was not available on the website at this time. ------- CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark office.
