From 316aeae09468d6fd3b35422b236751eb1b5c309e Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Tue, 9 Feb 2021 14:02:59 -0500 Subject: [PATCH 1/2] Issue 4609 - CVE - info disclosure when authenticating Description: If you bind as a user that does not exist. Error 49 is returned instead of error 32. As error 32 discloses that the entry does not exist. When you bind as an entry that does not have userpassword set then error 48 (inappropriate auth) is returned, but this discloses that the entry does indeed exist. Instead we should always return error 49, even if the password is not set in the entry. This way we do not disclose to an attacker if the Bind DN exists or not. Relates: https://github.com/389ds/389-ds-base/issues/4609 Reviewed by: tbordaz(Thanks!) --- dirsrvtests/tests/suites/basic/basic_test.py | 39 +++++++++++++++++++- ldap/servers/slapd/back-ldbm/ldbm_bind.c | 4 +- ldap/servers/slapd/dse.c | 7 +++- 3 files changed, 45 insertions(+), 5 deletions(-) diff --git a/dirsrvtests/tests/suites/basic/basic_test.py b/dirsrvtests/tests/suites/basic/basic_test.py index fc9af46e4..e35f34721 100644 --- a/dirsrvtests/tests/suites/basic/basic_test.py +++ b/dirsrvtests/tests/suites/basic/basic_test.py @@ -9,7 +9,7 @@ from subprocess import check_output, PIPE, run from lib389 import DirSrv -from lib389.idm.user import UserAccounts +from lib389.idm.user import UserAccount, UserAccounts import pytest from lib389.tasks import * from lib389.utils import * @@ -1094,6 +1094,43 @@ def test_bind_invalid_entry(topology_st): topology_st.standalone.simple_bind_s(DN_DM, PW_DM) +def test_bind_entry_missing_passwd(topology_st): + """ + :id: af209149-8fb8-48cb-93ea-3e82dd7119d2 + :setup: Standalone Instance + :steps: + 1. Bind as database entry that does not have userpassword set + 2. Bind as database entry that does not exist + 1. Bind as cn=config entry that does not have userpassword set + 2. Bind as cn=config entry that does not exist + :expectedresults: + 1. Fails with error 49 + 2. Fails with error 49 + 3. Fails with error 49 + 4. Fails with error 49 + """ + user = UserAccount(topology_st.standalone, DEFAULT_SUFFIX) + with pytest.raises(ldap.INVALID_CREDENTIALS): + # Bind as the suffix root entry which does not have a userpassword + user.bind("some_password") + + user = UserAccount(topology_st.standalone, "cn=not here," + DEFAULT_SUFFIX) + with pytest.raises(ldap.INVALID_CREDENTIALS): + # Bind as the entry which does not exist + user.bind("some_password") + + # Test cn=config since it has its own code path + user = UserAccount(topology_st.standalone, "cn=config") + with pytest.raises(ldap.INVALID_CREDENTIALS): + # Bind as the config entry which does not have a userpassword + user.bind("some_password") + + user = UserAccount(topology_st.standalone, "cn=does not exist,cn=config") + with pytest.raises(ldap.INVALID_CREDENTIALS): + # Bind as an entry under cn=config that does not exist + user.bind("some_password") + + @pytest.mark.bz1044135 @pytest.mark.ds47319 def test_connection_buffer_size(topology_st): diff --git a/ldap/servers/slapd/back-ldbm/ldbm_bind.c b/ldap/servers/slapd/back-ldbm/ldbm_bind.c index fa450ecd5..38d115a32 100644 --- a/ldap/servers/slapd/back-ldbm/ldbm_bind.c +++ b/ldap/servers/slapd/back-ldbm/ldbm_bind.c @@ -76,8 +76,8 @@ ldbm_back_bind(Slapi_PBlock *pb) case LDAP_AUTH_SIMPLE: { Slapi_Value cv; if (slapi_entry_attr_find(e->ep_entry, "userpassword", &attr) != 0) { - slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL, - NULL, 0, NULL); + slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not have userpassword set"); + slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL); CACHE_RETURN(&inst->inst_cache, &e); rc = SLAPI_BIND_FAIL; goto bail; diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c index 3c2de75fc..b04fafde6 100644 --- a/ldap/servers/slapd/dse.c +++ b/ldap/servers/slapd/dse.c @@ -1446,7 +1446,8 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this ec = dse_get_entry_copy(pdse, sdn, DSE_USE_LOCK); if (ec == NULL) { - slapi_send_ldap_result(pb, LDAP_NO_SUCH_OBJECT, NULL, NULL, 0, NULL); + slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not exist"); + slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL); return (SLAPI_BIND_FAIL); } @@ -1454,7 +1455,8 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this case LDAP_AUTH_SIMPLE: { Slapi_Value cv; if (slapi_entry_attr_find(ec, "userpassword", &attr) != 0) { - slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL, NULL, 0, NULL); + slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Entry does not have userpassword set"); + slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL); slapi_entry_free(ec); return SLAPI_BIND_FAIL; } @@ -1462,6 +1464,7 @@ dse_bind(Slapi_PBlock *pb) /* JCM There should only be one exit point from this slapi_value_init_berval(&cv, cred); if (slapi_pw_find_sv(bvals, &cv) != 0) { + slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Invalid credentials"); slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL); slapi_entry_free(ec); value_done(&cv); -- 2.26.2