View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017640 | mantisbt | security | public | 2014-09-09 05:03 | 2014-12-21 13:31 |
Reporter | mattd | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.17 | ||||
Target Version | 1.2.18 | Fixed in Version | 1.2.18 | ||
Summary | 0017640: CVE-2014-6387: Null byte poisoning in LDAP authentication | ||||
Description | Hi, I've been doing some research on a security issue that has already been Please excuse the length and form-letter style of this message; it is being The issue is in how some software performs user authentication using LDAP My personal opinion is that PHP itself is the component at fault, and not your Hence, I am writing this message to your project for two reasons: 1) You may indeed wish to treat the issue as a security vulnerability in your 2) I intend to publically disclose all of my findings in the near future (see Alternatively, your project might agree with my interpretation of where the A description of the issue itself follows. If you are familiar with LDAP and Users can authenticate to an LDAP directory server by performing a "bind" Other applications can use this bind operation as a way of allowing users to There are two main methods of bind; simple and SASL. Within the simple method,
Applications that are using LDAP for user authentication must ensure that only Most applications correctly check for non-empty passwords as part of handling However, there is another related, subtle issue: PHP's LDAP extension provides bindings to the C-based OpenLDAP library, PHP passes the PHP string arguments to the OpenLDAP C function - which expects Hence, an attacker can pass a string starting with a null byte as a password I have been testing the susceptibility of many applications, both PHP- and First, one needs an LDAP server that allows unauthenticated binds to be However, there is at least one other popular LDAP server that does not deny As mentioned earlier, this has already been discovered and elaborated on I recently submitted a patch to PHP that causes ldap_bind to raise an error if Affected PHP versions: <= 5.5.11, <= 5.4.27 As mentioned earlier, I have tested your application and have found that it is 1.2.17 In order to help demonstrate this issue to your project, I have set up a IP: 54.68.122.145 (All the usual Active Directory LDAP settings apply, such as the user login In order to login with null bytes present in user passwords, I suggest the use -- 8< --
-- 8< -- However, for easy testing, it may just be easier to hack your application's Observe that you are able to login to your application as the "testuser" As mentioned at the start of this message, I intend to post a wrap-up of my Thank you for reading through this huge message! (Also, I hate to say it, but just in case: I am happy to be credited on any
EDIT(dregad): removed <> around links and added missing information as per 0017640:0041193 | ||||
Steps To Reproduce | With an instance of Mantis set up to use an Active Directory server for LDAP authentication, login as any valid user with a null byte as the password. The login attempt will succeed, even though the user's valid password was not given. | ||||
Tags | No tags attached. | ||||
Apologies, I forgot to fill in some information in the description! Embarassing... The version of Mantis I tested was 1.2.17, and the missing test LDAP server information is as follows: Bind user DN (to bind with before performing a user search): |
|
Hi Matt, thanks for the report. I (we) will look at it as time allows. Has a CVE been assigned for this yet ? I would guess not since you said MITRE stated it was individual applications that needed to be fixed, but anyway if there is please let us know the number if (or when) you have it. If not, a reference to any public discussion on this topic (e.g. oss-security mailing list) would be nice to have. |
|
... and here lies one of the reasons for https://github.com/mantisbt/mantisbt/commit/fc02c46eea9d9e7cc472a7fc1801ea65d467db76 which was originally coded before we decided on our next branch debate in October 2011. Pretty sure once you've added those commits to 1.2.17 this issue goes. It's long been an issue in php (and other languages/frameworks) that you can use null bytes to inject in some cases. Our approach for this as everything goes through gpc_string/gpc_int etc was to strip out null bytes in gpc_string with str_replace( "\0","",$t_result ); Matt: if you get a few moments (as you've obviously got a readily available framework setup), can you see if this old patch fixes the vulnerability area you are planning on reporting on? Pretty sure it does as IBM's appscan I believe would try adding null bytes to parameters back in 2011 - however nice approach taking it a step further with the authentication bypass from the anonymous binds. |
|
I can confirm the ability to login as the test LDAP user with an arbitrary password by prefixing it with \0 (I used Firefox 'Tamper Data' plugin). As suggested by @grangeway, backporting fc02c46e fixes the issue. |
|
dregad: No, there is no CVE assigned for the issue when it comes to PHP. As I understand it, MITRE considers that applications should keep in mind null byte poisoning attacks when performing LDAP binds, even though it's the PHP -> C boundary which is causing the issue in the first place. There's been no recent public discussion about the issue that I'm aware of. FWIW, I've tested the backported patch (215968fa) and found it fixes the issue. Thank you both for your prompt response! |
|
CVE request: http://thread.gmane.org/gmane.comp.security.oss.general/13792 |
|
Hi Damien, Could you explain why: a) It wasn't mentioned that I'd already identified there was issues with null bytes in mantis, back in 2011 ( https://github.com/mantisbt/mantisbt/commit/f3c032f8e46abce74dd3ebf0a50e0cbbd677653b ), and done a 'catch all' fix b) why you didn't cover the fact the original fix was to cover issues with null byte injection across the code base i.e. the CVE should be for avoiding null byte injection and not just LDAP. Back when it was coded, it stopped possible issues in the LDAP, DB layer and file system. In the case of the file system issues, I believe these are no longer an issue without the patch as we've added additional validation around include/require calls. Whilst as I say, Mattd's taken the root cause a step further by identifying a specific flaw, the fact we've already done work to avoid this and other vulnerabilities as a catch-all within the code, it would be nice to receive some acknowledgement for that... Equally, why haven't we followed our normal policy on this (with regards to CVE's)? |
|
MantisBT: master fc02c46e 2013-10-12 13:58 Paul Richards Details Diff |
Strip null bytes out of GPC input strings |
Affected Issues 0017640, 0017977 |
|
mod - core/gpc_api.php | Diff File | ||
MantisBT: master-1.2.x 215968fa 2013-10-12 13:58 Paul Richards Committer: dregad Details Diff |
Strip null bytes out of GPC input strings Backporting commit fc02c46eea9d9e7cc472a7fc1801ea65d467db76 from master branch to fix issue 0017640 Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0017640, 0017967, 0017977 |
|
mod - core/gpc_api.php | Diff File | ||
MantisBT: master f725b469 2014-05-31 04:40 Paul Richards Details Diff |
Fix handling of due dates This was broken due to commit fc02c46eea9d9e7cc472a7fc1801ea65d467db76. This commit added stripping of null bytes, but did not correctly handle null values |
Affected Issues 0017640, 0017977 |
|
mod - core/gpc_api.php | Diff File | ||
MantisBT: master-1.2.x 580d45e9 2014-05-31 04:40 Paul Richards Committer: dregad Details Diff |
Fix 0017977: handling of due dates Commit 215968fa8ff33e327f0600765a5caa24de392cbc (backported from master fc02c46eea9d9e7cc472a7fc1801ea65d467db76 to fix issue 0017640) added stripping of null bytes in GPC API, but did not correctly handle null values. This is a backport of commit f725b46954a514880792dd4be8228287756fac3d from master branch, to address this issue. Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0017640, 0017977 |
|
mod - core/gpc_api.php | Diff File | ||
MantisBT: master-1.2.x 99ada4de 2014-12-21 06:46 Details Diff |
Fix system warning in gpc_get_string_array() The fix for issue 0017640 did not consider that the value returned by gpc_get() is not necessarily an array - it can be the default value (e.g. null) causing PHP to throw an 'Invalid argument supplied for foreach()' warning. Fixes 0017967, regression from 215968fa8ff33e327f0600765a5caa24de392cbc |
Affected Issues 0017640, 0017967 |
|
mod - core/gpc_api.php | Diff File | ||
MantisBT: master 61c8548c 2014-12-21 06:46 Details Diff |
Fix system warning in gpc_get_string_array() The fix for issue 0017640 did not consider that the value returned by gpc_get() is not necessarily an array - it can be the default value (e.g. null) causing PHP to throw an 'Invalid argument supplied for foreach()' warning. Fixes 0017967 (ported from 1.2.x) |
Affected Issues 0017640, 0017967 |
|
mod - core/gpc_api.php | Diff File |