8

Just read a Slashdot thread on LDAP brokenness on OSX. Can anyone explain exactly what is being secured by OpenLDAP and why anything other than data stored on a Lion machine might be at risk?

A quote from the article:

“As pen testers, one of the first things we do is attack the LDAP server,” Rob Graham, CEO of auditing firm Errata Security, said. “Once we own an LDAP server we own everything. I can walk up to any laptop (in an organization) and log into it.”

How does one go from hacking a random mac LDAP server to owning the entire enterprise?

jldugger
  • 14,342
  • 20
  • 77
  • 129
  • 2
    Slashdot, The Register and MacRumors are full of misinformation and hype. Take their statements with a grain of salt until you read about it on a reputable source. Those articles are very light on details, and there is a fair amount of confusion on if this affects anything beyond accounts on the *local machine*. There are rumors circulating that this problem is an "enterprise security nightmare" or could allow users to own the LDAP server, but that seems unlikely. Broken and custom LDAP clients are nothing new. – Stefan Lasiewski Aug 29 '11 at 22:21
  • This is a good question. Almost every article I have read is extremely lacking in detail. – Zoredache Aug 29 '11 at 23:27

2 Answers2

8

Don't be alarmed. This is not a huge threat to enterprise networks which is suggested by this article in The Register.

Apple Lion is new, and thus this bug is getting a disproportionate amount of attention when compared to similar flaws on other operating systems. Here are some calmer descriptions of this same problem:

This is a local exploit on an Apple Lion system which affects that system only. Apple has yet to provide any details. Here's how I understand the problem: if someone logs into a Apple Lion system once successfully, then anyone else can log into the same system with any password. This is a serious problem for that system, but the damage is mostly limited to that particular system. Unfortunately that system is now less-trusted and may be on on your network.

This problem does NOT allow an a hacker to own your AD/LDAP servers, by and of itself. Your AD/LDAP servers will still reject any incorrect LDAP authorization request from any LDAP client. To bypass this would require a major flaw on the LDAP server or the LDAP protocol or a misconfigured server, which is a completely different issue then the problem described above.

Keep in mind that this problem only affects Apple Lion systems which use LDAP for authentication. In most organizations, this will be a very small number of clients. An Apple Lion server might be more vulnerable, but Apple needs to elaborate on the problem and they have not been very forthcoming about this issue, yet. Can you imagine RedHat holding back information on a publicly known vulnerability for such a long time?

Stefan Lasiewski
  • 23,667
  • 41
  • 132
  • 186
3

The problem with the vulnerability is pretty well explained in the article linked by slashdot.

The true problem is that once someone gets onto any Lion machine on the network that is using LDAP as it's Authorization method then, you can read the contents of the LDAP directory. Which would give you access to all accounts on the network that use central authentication. Additionally it gives you access to anything secured by the LDAP Authorization system. Basically, you now own everything on that network.

As a side note, i'm curious if it is a bug in the LDAP authorization or the underlying (probably kerboros) authentication system.

Also, if you are not using LDAP as your authorization source (OpenLDAP, Active Directory, NDS, etc) then you are not effected by this.

To answer you specific question:

Can anyone explain exactaly what is being secured by OpenLDAP

The answer is "It depends ..." on what your IT infrastructure has setup to use LDAP for authorization.

Zypher
  • 37,405
  • 5
  • 53
  • 95
  • 3
    _Additionally it gives you access to anything secured by the LDAP Authorization system._ -- How is it possible to take a broken LDAP client (Or a maliciously customized LDAP client) and use it to gain access to resources which are secured by LDAP? Wouldn't this require a flaw in the LDAP protocol or on on the LDAP server itself? – Stefan Lasiewski Aug 29 '11 at 21:53
  • To be clear, my questions are in regard to other resources on the network ("Basically, you now own everything on that network."). – Stefan Lasiewski Aug 29 '11 at 22:25
  • Are you sure that you can actually read/dump the contents of the directory? How would this be accomplished? Kerberos isn't required in an OSX setup. A client accepting an invalid user as authentic doesn't mean that the server will accept it as authenticated. If the LDAP server doesn't allow anonymous reads, and the user hasn't provided a valid password, then how would they be able to read anything? – Zoredache Aug 29 '11 at 23:08
  • It's a directory. Of course users can read things in directories. Are you able to read the userPassword attribute without bind? – jldugger Aug 29 '11 at 23:18
  • @jldugger, On my directory (not OD) you cannot even get a list of users without a successful bind. I don't know OSX really well though, does it build a per-machine set of credentials (like AD), I didn't think it did, but I could be wrong. If there are no credentials for the machine, and Apple isn't doing something stupid like storing a reversible copy of the password then I do not know how a client caching bug means that you get free access to the directory. – Zoredache Aug 29 '11 at 23:26