1931885 – LDAP unprotected search query during certificate based authentication

Bug 1931885 - LDAP unprotected search query during certificate based authentication

Summary: LDAP unprotected search query during certificate based authentication

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Directory Server
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	12.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	---
Target Release:	dirsrv-12.3
Assignee:	LDAP Maintainers
QA Contact:	LDAP QA Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-02-23 13:47 UTC by Cedric Buissart
Modified:	2023-07-31 22:37 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Cedric Buissart 2021-02-23 13:47:20 UTC

Description of problem:

During certificate based client authentication, certmap may be configured to use the user cert's subjectDN to look for a match. The SubjectDN is however not protected and may be used to sabotage the search.

In certain circumstances, it may prevent certificate to properly authenticate (e.g.: if subjectDN contains a legitimate `*`, it might match several users, and not authenticate at all).

This is not considered a security flaw, since it still requires a trusted CA to have signed the certificate.



Version-Release number of selected component (if applicable): all


How reproducible: 100%


Steps to Reproduce:
1. enable cert based auth, and configure certmap so that it uses the subject to match.
e.g.:

```
default:CmapLdapAttr nsCertSubjectDN 
```
2. Create a user with a `nsCertSubjectDN`
3. Create a certificate with a subject containing a `*`

Actual results:

The certificate will match against the user


Expected results:

No match, since the subject is actually different.


Additional info:

Lines 775 & 778

```c
 748 static int
 749 ldapu_cert_searchfn_default(void *cert, LDAP *ld, void *certmap_info_in, const char *basedn, const char *dn, const char *filter, const char **attrs, LDAP     Message ***res)
 750 {
 751     int rv = LDAPU_FAILED;
 752     const char *ldapdn;
 753     LDAPUCertMapInfo_t *certmap_info = (LDAPUCertMapInfo_t *)certmap_info_in;                                                                           
 754     LDAPMessage *single_res = NULL;
 755     LDAPMessage **multiple_res = NULL;
 756 
 757 
 758     if (certmap_info && certmap_info->searchAttr) {
 759         char *subjectDN = 0;
 760         char *certFilter = 0;
 761         int len;
 762 
 763         rv = ldapu_get_cert_subject_dn(cert, &subjectDN);
 764 
 765         if (rv != LDAPU_SUCCESS || !subjectDN) {
 766             return rv;
 767         }
 768         len = strlen(certmap_info->searchAttr) + strlen(subjectDN) +
 769               strlen("=") + 1;
 770         certFilter = (char *)ldapu_malloc(len * sizeof(char));
 771         if (!certFilter) {
 772             free(subjectDN);
 773             return LDAPU_ERR_OUT_OF_MEMORY;
 774         }
 775         sprintf(certFilter, "%s=%s", certmap_info->searchAttr, subjectDN);        // <= The Filter doesn't protect subjectDN
 776         free(subjectDN);
 777         if (ldapu_strcasecmp(basedn, "")) {
 778             rv = ldapu_find(ld, basedn, LDAP_SCOPE_SUBTREE, certFilter, attrs, 0, &single_res);
 779             ldapu_free((void *)certFilter);
 780             if (rv == LDAPU_SUCCESS || rv == LDAPU_ERR_MULTIPLE_MATCHES) {
```

Note You need to log in before you can comment on or make changes to this bug.