| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150129014835.GD4951@bender.unx.csupomona.edu> Date: Wed, 28 Jan 2015 17:48:35 -0800 From: "Paul B. Henson" <henson@....org> To: fulldisclosure@...lists.org Subject: Re: [FD] CVE-2015-1169 - CAS Server 3.5.2 allows remote attackers to bypass LDAP authentication via crafted wildcards. This CVE claims CAS has a vulnerability that "allows remote attackers to bypass LDAP authentication via crafted wildcards". My understanding of an "authentication bypass" vulnerability is one that actually bypasses authentication, accessing a resource without having to authenticate, as enumerated at http://cwe.mitre.org/data/definitions/592.html The actual vulnerability here is that if you are using the LDAP authenticator that does a search for the supplied username and then authenticates against the DN returned (as opposed to the LDAP authenticator that directly constructs a bind DN from the username), it does not properly escape wildcards in the supplied username when it does the search, allowing you to authenticate with a username consisting of a wildcard that matches the username *AND* the valid password for that username. In addition, the supplied wildcard must match one and only one entry in the ldap directory, as authentication will fail otherwise. I don't think this is in any way an authentication bypass. Authentication is being performed with an (almost valid) username and a valid password, and while the issue does allow you to use a username that's not an exact match, it still requires you to know the correct password for that username and for the "not exact" match to be so specific as to only match one user. On Wed, Jan 21, 2015 at 12:49:38PM -0200, J. Tozo wrote: > =====[Alligator Security Team - Security Advisory]======== > > CVE-2015-1169 - CAS Server 3.5.2 allows remote attackers to bypass LDAP > authentication via crafted wildcards. > > Reporter: José Tozo < juniorbsd () gmail com > > > =====[Table of Contents]================================== > > 1. Background > 2. Detailed description > 3. Other contexts & solutions > 4. Timeline > 5. References > > =====[1. Background]====================================== > > CAS is an authentication system originally created by Yale University to > provide a trusted way for an application to authenticate a user. > > =====[2. Detailed description]============================ > > A valid username and password required. > > Given a username johndoe and a password superpass, you can sucessfully > achieve login using wildcards: > > username: jo* > password: superpass > > The login will be sucessfully only if the ldap bind search return one > unique member. > > The vulnerability described in this document can be validated using the > following example: > > Client Request: > root@...hine:/# curl -k -L -d "username=jo%2A&password=superpass" > https://login.cas-server.com/v1/tickets > > (note that * was url encoded to %2A) > > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > <html> > <head> > <title>201 The request has been fulfilled and resulted in a new > resource being created</title> > </head> > <body> > <h1>TGT Created</h1> > <form action=" > https://xxx.xxx.xxx.xxx/v1/tickets/TGT-76-ABTSuXWB7sECDGqbe5W4jyxR43YYiTubPsEup9m4gNFpytGSaz" > method="POST">Service:<input type="text" name="service" value=""><br><input > type="submit" value="Submit"></form> > </body> > </html> > > Server log: > ============================================================= > WHO: [username: jo*] > WHAT: TGT-76-ABTSuXWB7sECDGqbe5W4jyxR43YYiTubPsEup9m4gNFpytGSaz > ACTION: TICKET_GRANTING_TICKET_CREATED > APPLICATION: CAS > WHEN: Tue Jan 20 18:38:17 BRST 2015 > CLIENT IP ADDRESS: xxx.xxx.xxx.xxx > SERVER IP ADDRESS: xxx.xxx.xxx.xxx > ============================================================= > > =====[3. Other contexts & solutions]====================== > > In order to apply the patch, you have to update at least to version 3.5.3. > Newer versions, such as CAS 4.0.0 and above, are not vulnerable. > > =====[4. Timeline]======================================== > > 29/12/14 Vendor notification. > 14/01/15 Vendor rolled out new version 3.5.3 > 17/01/15 Mitre assigned CVE-2015-1169. > 21/01/15 Disclosure date. > > =====[5. References]======================================= > > 1 - https://github.com/Jasig/cas/pull/411 > 2 - > https://github.com/Jasig/cas/commit/7de61b4c6244af9ff8e75a2c92a570f3b075309c > > -- > Grato, > > Tozo _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists