A Security Hole at S-CWIS
by Phineas Phreak
From the book Maximum Security, published anonymously, I had received the impression that university computer systems were to be among the properly secured systems of the world.
I found this impression confusing when I discovered a significant security flaw in the Student Campus Wide Information Service (S-CWIS) located at the University of Nebraska - Omaha.
Especially bad was the fact that the hole I discovered was not inherent in the software but was instead caused by poor administrative policies. This flaw allows unauthorized access to the system by anyone with a minimum of effort and knowledge. Most important is the fact that this flaw shows a poor knowledge and implementation of security that would extend to other campus computer systems and perhaps to the computer systems of other campuses.
The computers at the University of Nebraska - Omaha can be accessed by calling 402-554-3711 or 402-554-3434.
They can also be accessed by Telnet at: [specific system].unomaha.edu
The S-CWIS system is used for students. CWIS is for faculty. Revelation is for library staff, Thor is a special system for programming students. The purpose of the Zeus system that exists on campus is unknown to me.
telnet s-cwis.unomaha.edu would allow anyone with Telnet access into the system because of the security hole, not just UNO students. The other systems are not vulnerable to this specific security flaw as far as I know, but this gaping hole reveals possibilities for other holes in systems maintained by the same people.
S-CWIS runs OSF/1, which is of course BSD with a small amount of System V thrown in for kicks. The shell provided is tcsh (a C shell version). Standard UNIX services are offered: shell, FTP, Lynx as a web browser, Tin for newsgroups, Pico or FPTED for text editing, and Pine or Elm for mail. Of course, the shell access is most important for the unauthorized user because of the unlimited tasks that a user could make it perform.
When users first get a S-CWIS account, their student number is the default password. A good proportion of users never use the service at all, or never again once OSF/1 UNIX greets them. If they never use the service or only use it once, good security features such as password aging and reminders to change the password to something other than the student number become ineffective. This hole would not be a big one if student numbers were secret things that just anyone couldn't find out. They aren't. Law states that the university cannot ask for the Social Security number of a student in order to track them. Instead they use the student number.
Curiously, the student number happens to resemble the Social Security number exactly. Stupid. If you found an account where someone had never changed the password from the original default and you knew the Social Security number, you would be inside. What if the account has lain dormant for at least 90 days? Well, then it would need a new password. Does this mean you could not access the account? If the password was the Social Security number then it does not. Enter the Social Security number and then create a new password. The owner may never sign on again to discover that they cannot access their account.
Discovering users to get Social Security numbers for is not that difficult. Usernames are mere name corruptions. Roman Polanski might become polanskr. Brandi Clinton might become bclinton. Seeing as S-CWIS accepts Finger queries finding usernames should not be a problem. Also, Finger reveals much about a user including real name and other such goodies. Sometimes it even reveals the last sign on date. This could be a big clue to accounts that still have the default password on them. If access is already obtained, then one can access the special Finger utility. This utility can print whole username lists. You could search for all users whose username starts with an "a." In this way you could have a list of all the users on the system whose accounts you can attack.
Once you have the login names and the Social Security numbers (available from such pay sites as kadima.com or other places that I am unfamiliar with), you're in. Once you're in you have a clear shot at the shell. Only your personal skill level could determine what you could do from there.
Lax security can only be cured if the system is forced to change by being breached. I would not advocate breaching the computer, as that would be a violation of law. I also cannot advocate lax security, which is just plainly moronic. Perhaps the administration of UNO will eventually see this. Then they may be forced to bring their systems up to par.