Identix BioLogon 3

["Paul A Roberts" <proberts () teleport com>]

I released the following to CERT and then realized it was probably not the
best place for this issue as the vulnerability is more local network and
workstation than Internet.  They have not responded within the last 5 days
and so I'm forwarding the CERT submission form to SecurityFocus.

Vulnerability submission:


CONTACT INFORMATION
==========================================================================
Let us know who you are:

Name : Paul A Roberts
E-mail : proberts () teleport com
paul.a.roberts () state or us
Phone / fax : (503)581-1881 / (503)945-6443

Affiliation and address: Oregon Department of Human Services
500 Summer St. NE -- NDS 5th Floor
Salem, OR 97301

Have you reported this to the vendor? YES

If so, please let us know whom you've contacted:

Date of your report : 02/02/02
Vendor contact name : Rob Roy
Vendor contact phone : 408-335-1400
Vendor contact e-mail : rroy () identix com
Vendor reference number : 020502-1015a

If not, we encourage you to do so--vendors need to hear about
vulnerabilities from you as a customer.

POLICY INFO
==========================================================================
We encourage communication between vendors and their customers. When
we forward a report to the vendor, we include the reporter's name and
contact information unless you let us know otherwise.
If you want this report to remain anonymous, please check here:
___ Do not release my identity to your vendor contact.

TECHNICAL INFO
==========================================================================
If there is a CERT Vulnerability tracking number please put it
here (otherwise leave blank): VU#______.

Please describe the vulnerability.
---------------------------------
What is the impact of this vulnerability?
----------------------------------------
(For example: local user can gain root/privileged access, intruders
can create root-owned files, denial of service attack, etc.)
a) What is the specific impact:

The BioLogon 3 software is designed to provide 3-factor authentication.
Fingerprint, Smart Card, Password. All three authentications can be
bypassed at the login GINA.

b) How would you envision it being used in an attack scenario:

An individual with physical access to a laptop or workstation can gain
System privileges without authenticating in order to obtain, alter,
remove, data or to install a backdoor.

To your knowledge is the vulnerability currently being exploited?
----------------------------------------------------------------
NO

If there is an exploitation script available, please include it here.
--------------------------------------------------------------------
Sample exploit:

At an XP or NT login the operator presses CTRL-ALT-DEL.
The GINA option "More" can then be selected. For XP, Configure / Sounds
is then selected. An event can then be selected and "Browse" initiated.
Once Browse is initiated System level explorer access is granted. Files
can be copied to removable media or files can be imported from removable
media to local locations such as startup folders. Properties can be
altered and files removed or added. NT 4 behaves much the same with minor
menu differences.

Do you know what systems and/or configurations are vulnerable?
-------------------------------------------------------------
YES (If yes, please list them below)

I've only tested 'secure' MS systems (not Win9x or any other potential
platforms).

System : Microsoft Windows BioLogon 3 Build (11106)
OS version : XP Professional / NT 4 / (2000 guess)
Verified/Guessed: Verified

Are you aware of any workarounds and/or fixes for this vulnerability?
--------------------------------------------------------------------
YES (If you have a workaround or are aware of patches
please include the information here.)

Identix has not updated their web site as of yet or added a customer
download to address this vulnerability. They were very responsive in
providing a patched DLL file via e-mail once they were made aware of the
vulnerability. The DLL replaces the install version of "Itlogonx.dll".
This resolves the issue on XP Professional and on NT 4 (assume 2000 as
well).

OTHER INFORMATION
==========================================================================
=
Is there anything else you would like to tell us?

Identix indicated they would add this vulnerability to their FAQ and a fix
in the next release. Due to the severity of the hole on an unpatched
system I believe this should be indexed as soon as possible. I believe
with the patch they are ready to handle this situation, though, as noted,
it was not available on the website at this time.

-------
CERT and CERT Coordination Center are registered in the U.S. Patent and
Trademark office.