of Mac and Men
Alexander Clouter
alex at digriz.org.uk
Fri Apr 10 00:19:11 CEST 2009
Paul Bartell <paul.bartell at gmail.com> wrote:
>
> I'm aware of an attack on a bank which had implemented EAP, and had
> fun when a Pen tester was simply getting domain login credentials
> without having to work much at all.
>
> Could you maybe provide a rebuttal for this attack? and/or explain how
> to make it especially secure?
>
Think of EAP like HTTP...a transport medium. PEAP/TTLS is EAP's version
of SSL...would you expect a bank to use a valid certificate on their
online banking page? Same thing, 100% the same thing.
Network administrators, whilst generally in the mood "lets get this
pesky thing working and fix the 101 other problems I have", easily
forget:
1) if you do not force the root CA to a single registrar you can go to
*any* registrar (you can use a self-signed one) and make sure
the subject field in the certificate matches what the client is
expecting (if anything) to leech user credentials
2) if no forced subject field match is made[1], then as long as you get
a certificate signed by the marked registrar in (1), if you did
indeed specify one, then you can leech user credentials
If you miss either of these two, you might as well slap all your users
credentials on your organisations website in a textfile for folk to
download.
This (vaguely) works transparently for web browsers as they have a stash
of root CA's[2] to call upon and those registrars supposedly[3] verify
and check that you are legit and there are no duplicates....the web
browser then checks whatever is in the address bar. With EAP you have
to tell it what to expect in it's "address bar", this is why you have
to specify the FQDN of the server.
Actually, the whole SSL/TLS thing is horribly broken and we should just
dump it...I'm not bright enough to suggest something better though :)
Cheers
[1] dear god, do not ever use wildcarded certificates, for it will be
your 'crime and your punishment'
[2] of course we all handle certificate revocations don't we?
[3] http://www.amug.org/~glguerin/opinion/revocation.html
http://www.theregister.co.uk/2008/12/29/ca_mozzilla_cert_snaf/
--
Alexander Clouter
.sigmonster says: /earth is 98% full ... please delete anyone you can.
More information about the Freeradius-Users
mailing list