Login bypass when using user_ldap due to unauthenticated binds
Platform: ownCloud Server
Versions: 5.0.18, 6.0.6, 7.0.3,
Risk level: High
“user_ldap” (in the web-interface called “LDAP user and group backend”) is an optional authentication backend for ownCloud for using LDAP users and groups within the ownCloud web application.
The ownCloud team has discovered a vulnerability within the “user_ldap” application which, depending on the setup, might allow an attacker to effectively login without providing valid credentials. This security advisory should help you to understand whether this security bug affects you.
The LDAP RFC 4153 specifies multiple simple authentication methods such as the “Unauthenticated Authentication Mechanism of Simple Bind”:
An LDAP client may use the unauthenticated authentication of the simple Bind method to establish an anonymous authorization state by sending a Bind request with a name value (a distinguished name in LDAP string form [RFC4514] of non-zero length) and specifying the simple authentication choice containing a password value of zero length.
Simplified, this means that LDAP servers are allowed to return successful binds when a valid username together with an empty password is provided to the LDAP server.
While the ownCloud login routine checks for a non-empty password, there is no check for the so called NULL byte. Due to the fact that PHP is using the
ldap_bind function from the C library libldap, a string such as
%00 will be considered non-empty by PHP, but empty as a C string.
If an attacker therefore provides
%00 as user password the LDAP server will effectively receive an “empty” password, which might result in a successful bind. Therefore, the ownCloud instance will login the adversary as the defined user.
To be vulnerable the “Unauthenticated Authentication Mechanism of Simple Bind” of LDAP has to be enabled. Our research showed that this is the default on Microsoft Active Directory, and other implementations such as OpenLDAP have this disabled by default. Please notice that this information is provided without any warranty and guarantee of correctness. You’re encouraged to verify on your own whether your LDAP server is accepting unauthenticated binds.
Furthermore, his specific attack vector has been patched by PHP in versions PHP 5.5.12 and PHP 5.4.28. However, as this issue was not acknowledged as a security issue by PHP, this means it is very unlikely that the patch has been backported.
The ownCloud team wants to use this opportunity to note that we believe that this is mainly an issue with the specific PHP implementation.
If you’re using the user_ldap backend in combination with a vulnerable PHP version we highly recommend upgrading immediately.
- ownCloud Server < 7.0.3 (CVE-2014-9043)
- ownCloud Server < 6.0.6 (CVE-2014-9043)
- ownCloud Server < 5.0.18 (CVE-2014-9043)
The ownCloud login class has been modified to prevent passing of a NULL byte as password or username to authentication providers such as user_ldap.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.