OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/7419
Full headers

From: ptomulik@meil.pw.edu.pl
Subject: SECURITY: sasl with auxprop-hashed always authenticated no matter what the username and password is provided
Compose comment
Download message
State:
0 replies:
1 followups: 1

Major security issue: yes  no

Notes:

Notification:


Date: Fri, 19 Oct 2012 12:43:40 +0000
From: ptomulik@meil.pw.edu.pl
To: openldap-its@OpenLDAP.org
Subject: SECURITY: sasl with auxprop-hashed always authenticated no matter what the username and password is provided
Full_Name: Pawel Tomulik
Version: 2.4.33
OS: debian
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (46.227.109.205)


Hi, 

this bug was also reported to syrus-sasl bugzilla, see

https://bugzilla.cyrusimap.org/show_bug.cgi?id=3743

where configs, ldif files and some logs are provided.

If I set:

auxprop_plugin: slapd
pwcheck_method: auxprop-hashed

in my /usr/lib/sasl2/slapd.conf, then the ldapwhoami always gives positive
response,
no matter what username (-U) and password (-w) is provided. The bug may be
reproduced 
easily on debian wheezy/sid by following instructions provided in 

https://bugzilla.cyrusimap.org/attachment.cgi?id=1503

these instructions reproduce bug on slapd 2.4.31 from debian package,
however I reproduced it also on slapd from openlap 2.4.33 compiled from sources.


It was said by Alaxey Melnikov (Cyrus) that the bug may be in libsasl code (part
of Cyrus SASL), slapd (OpenLDAP) or both, so I report it also here.

Followup 1

Download message
Date: Fri, 19 Oct 2012 07:50:58 -0700
From: Howard Chu <hyc@highlandsun.com>
To: ptomulik@meil.pw.edu.pl
CC: openldap-its@openldap.org
Subject: Re: (ITS#7419) SECURITY: sasl with auxprop-hashed always authenticated
 no matter what the username and password is provided
As discussed in private email with Pawel and Alexey, this is no bug. 
"auxprop-hashed" is an undocumented feature first added in Cyrus SASL 2.1.24 
and not yet completely implemented in any published code. It appears to only 
be supported internally by ISODE at this point. There is no action for us to 
take until Cyrus completes the public implementation and documentation.

ptomulik@meil.pw.edu.pl wrote:
> Full_Name: Pawel Tomulik
> Version: 2.4.33
> OS: debian
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (46.227.109.205)
>
>
> Hi,
>
> this bug was also reported to syrus-sasl bugzilla, see
>
> https://bugzilla.cyrusimap.org/show_bug.cgi?id=3743
>
> where configs, ldif files and some logs are provided.
>
> If I set:
>
> auxprop_plugin: slapd
> pwcheck_method: auxprop-hashed
>
> in my /usr/lib/sasl2/slapd.conf, then the ldapwhoami always gives positive
> response,
> no matter what username (-U) and password (-w) is provided. The bug may be
> reproduced
> easily on debian wheezy/sid by following instructions provided in
>
> https://bugzilla.cyrusimap.org/attachment.cgi?id=1503
>
> these instructions reproduce bug on slapd 2.4.31 from debian package,
> however I reproduced it also on slapd from openlap 2.4.33 compiled from
sources.
>
>
> It was said by Alaxey Melnikov (Cyrus) that the bug may be in libsasl code
(part
> of Cyrus SASL), slapd (OpenLDAP) or both, so I report it also here.
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org