Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mac OS X Lion LDAP Vulnerability Emerges

Soulskill posted more than 3 years ago | from the mash-keyboard-for-access dept.

Bug 97

hypnosec tips a bit of Apple news from late last week that got overshadowed by the headlines about Steve Jobs. According to El Reg, "People logging in to Macs running OS X 10.7, aka Lion, can access restricted resources using any password they want when the machines use a popular technology known as LDAP for authentication. Short for Lightweight Directory Access Protocol, LDAP servers frequently contain repositories of highly sensitive enterprise data, making them a goldmine to attackers trying to burrow their way into sensitive networks." Initial reports about this bug cropped up less than a week after Lion was released.

cancel ×

97 comments

Sorry! There are no comments related to the filter you selected.

Server problem (0)

Anonymous Coward | more than 3 years ago | (#37245708)

Sounds more like a problem in the servers if they're allow this access.

Actually.... (1)

Jon.Laslow (809215) | more than 3 years ago | (#37245802)

Actually, this is only a problem if you can actually get Lion to bind to your AD Domain in the first place. Stupid legacy .local domain suffixes....

Re:Actually.... (1)

citylivin (1250770) | more than 3 years ago | (#37246622)

just turn off bonjour with iservebox , but that might be a new bug because I dont even think the new macs come with bonjour.

And I haven't had to do that since 10.5 IIRC. In short, that problem no longer exists (well at least on my .local domain).

Re:Actually.... (1)

dakameleon (1126377) | more than 3 years ago | (#37248936)

...because I dont even think the new macs come with bonjour.

Say wha...? If anything, Apple's increasing its use of bonjour. It's baked into iOS and certainly still being pushed in the latest OS X.

Re:Actually.... (1)

LordLimecat (1103839) | more than 3 years ago | (#37249998)

.local is there for a reason. It ensures that if you do not want any internal DNS to resolve externally and are not answering DNS requests from the outside, that your Domain Controller's DNS doesnt supercede legitimate domains.

Take for example a company that wants to use foo.com as their internal domain. If they host all external foo.com services "in the cloud", naming their internal dns domain "foo.com" will hose the ability for anyone on the domain to properly resolve the external addresses. To fix it you would have to manually update your internal DNS A records every time you made a "cloud" change; you would no longer have a single place that lookups occurred to.

To fix that easily, you use foo.local. Foo.com addresses will properly be resolved at the authoratative NS, and the foo.local records are guarenteed not to be resolvable on the internet (as there is no .local root nameserver).

Re:Actually.... (0)

Anonymous Coward | more than 3 years ago | (#37250386)

To fix that easily, you use foo.local.

So you have two domains instead of one. Note that in this case, there's nothing unique about .local. Any other TLD would do (even a remotely-resolvable one).

foo.local records are guarenteed not to be resolvable on the internet (as there is no .local root nameserver).

...yet

Re:Actually.... (1)

LordLimecat (1103839) | more than 3 years ago | (#37253430)

It makes very little sense to combine the two into one, when they share completely seperate address space, are on completely separate ISPs, and one half is supposed to be unresolvable by design. Putting them in the same DNS domain would be bad design; you will either have a non-authoratative DNS server claiming to be authoritative for a domain, or you will have unreachable RFC 1918 addresses in your public DNS.

The first scenario leads to the breakage I mentioned, and is the worst kind of kludge since it makes it much harder to diagnose issues with nslookup. No longer can you simply do a nslookup on NS records to find out who hosts your DNS, since you now have two independently resolving sets of DNS nameservers with no linkage between them; and it is a pain to figure out what has been done if you ever hand off to another tech (since again it is a nonstandard kludge and wont show up in a nslookup query). In a nutshell, DNS is hierarchical, and your plan would split that hierarchy in two.

The second scenario is utterly retarded as it means you would have every DHCP record in your domain recorded by a public DNS, and Im not even clear on how you would get that to work. You would also be publishing for the whole world to see the entire layout of your network.

Using .local is best practice as recommended by MS, and for darn good reasons. You can also, of course, use internal.foo.com, which isnt so bad, but using foo.com is a really terrible idea and if you ever do it you will find yourself regretting it (and probably having to rename your domain) shortly thereafter.

Re:Actually.... (1)

geekboybt (866398) | more than 3 years ago | (#37250960)

Add ".local" to the front of your search domains, and you'll be back in business.

Signed, another admin who got screwed when they decided to use .local for Bonjour.

Re:Server problem (2)

Spad (470073) | more than 3 years ago | (#37245820)

It's actually a client problem. Lion may allow you to logon using any username/password combo, or refuse to allow you to logon regardless of your username/password combo if you're using an LDAP backend. AFAIK this won't allow you to access similarly secured network resources using the bogus credentials.

Re:Server problem (1)

deniable (76198) | more than 3 years ago | (#37252006)

It's just like the security problem with Samba when it let you look at parent directories and Windows servers honored the request. Apple will learn just like Microsoft did.

Thanks, now I know what LDAP is (1)

hardtofindanick (1105361) | more than 3 years ago | (#37245712)

and I dont even have to read the article!

Re:Thanks, now I know what LDAP is (1)

_xeno_ (155264) | more than 3 years ago | (#37245892)

Plus I learned that IT is using LDAP wrong where I work! They use it to authenticate user accounts on the various servers that contain "repositories of highly sensitive enterprise data" but apparently those are supposed to be stored on the Lightweight Directory Access Protocol server itself.

What do you know - I'll have to fire off an email to IT and ask them to transfer our SVN repository (accessed via SSH) to the LDAP server.

Re:Thanks, now I know what LDAP is (1)

DrgnDancer (137700) | more than 3 years ago | (#37246210)

Technically you can use LDAP to store information. Being an an auth/user database is only part of what LDAP does. It's more like a lightweight non-relational database than anything (I realize that isn't quite right, but it's a reasonable comparison). One of the things that nearly any LDAP tutorial has you do is create a shared address book for instance. Indeed, if you look at the most popular LDAP system currently available (Microsoft's Active Directory) you'll see that it can store all sorts of potentially valuable information about users. From their contact info to there access levels.

Re:Thanks, now I know what LDAP is (3, Informative)

interval1066 (668936) | more than 3 years ago | (#37246724)

LDAP is a (what I always thought was) a pretty cool hierarchical directory type data server; its really good at storing data that is in a tree structure. But it will do relational duty as well. A company I worked for that did an enterprise web portal back in the 90's stored its stuff in a relational, but than we got a request for all its data to work on an LDAP server, so it got done. Worked pretty well as I recall. But I wonder if the NoSQL cloud dbs are better for that now. Seems like couchdb would do it just well too.

Re:Thanks, now I know what LDAP is (0)

Anonymous Coward | more than 3 years ago | (#37250098)

Actually, an LDAP directory is often built upon something like Berkeley DB. The Netscape/Sun one was atop Berkeley DB when I worked with it, and it likely still is.

Re:Thanks, now I know what LDAP is (1)

arglebargle_xiv (2212710) | more than 3 years ago | (#37251534)

It's more like a lightweight non-relational database than anything (I realize that isn't quite right, but it's a reasonable comparison).

It's actually a heavyweight pre-relational (hierarchical) database of the type used in the 1960s before relational databases were invented. Many LDAP servers actually use an RDBMS underneath, with LDAP being an additional mapping layer on top of the standard database (others use key/value stores like Berkeley DB, but again you have to add a hugely-complex mapping layer because LDAP isn't anything like the key/value store that it's using for its storage engine). The only LDAP server I know of that uses a storage engine that's even close to what LDAP does is (supposedly) Novell's Recman (although that may just be marketing propaganda, since they ditched Recman some years ago).

Re:Thanks, now I know what LDAP is (0)

Anonymous Coward | more than 3 years ago | (#37246046)

Please return... even better, put your geek card on a vulnerable OSX LDAP server so we can proceed to shred it.

Re:Thanks, now I know what LDAP is (3, Informative)

elsurexiste (1758620) | more than 3 years ago | (#37250224)

Thanks, now I know what LDAP is, and I dont even have to read the article!

I don't know if you really know it, but just to be sure: it's a piece of shit.

LDAP means Lightweight Directory Access Piece-of-Shit-Protocol. It was created as a lightweight replacement for another protocol. Either the oldest one was designed by Cthulhu itself, or the designers were trolling the hell out of ourselves.

So, what's the deal with this PoS? The idea is to access data in a hierarchical storage. This was a system administrator's wet dream: every piece of information and configuration for a user, person, service, computer, and organizational unit, and everything neatly organized and in a single place. Even more, everything is Standard(TM)! Cool, you imagine. Yeah, I thought the same... but here ends the coolness. What follows is what happened at the IETF headquarters, just after the original idea was presented:

Someone said, "Surely not everyone should access the database! We must add authentication!". So, we bloated the protocol a bit, and now it's a directory access protocol that also handles authentication. Ok, maybe it's an acceptable tradeoff, everyone thought. But then someone else said "Since we added authentication to this protocol, we should use it as the central authority for all authentication purposes in our organizations!". WTF, this was designed for directory access, not for authentication. So, after this kludge, someone reasoned, "Since we now have to handle authentication, we need to use TLS on the same port where we handle the directory access! We wouldn't want authentication without an encrypted channel!". And then, another engineer, who was clearly stoned, said "Yeah, let's have that AND let's have an LDAPS protocol that is just like that but on another port". At this point, we can assume that he shared his drugs with the rest of the people involved and everyone said "YES!". And then, someone else, clearly influenced by object-oriented design and abstract data types, said, "We should have defined types, so people won't forget to add data that's important and everything stays consistent, even across organizations". And another one, clearly influenced by Stalin, demanded, "Ok, but people can add only what's explicitly defined, nobody is allowed to enter new data unless we allow it, no deviations whatsoever". Another engineer, clearly influenced by Evil(TM), added "Not only do they have to enter just the data that we will allow them to enter on our defined type, should they want new types for their organizations... they must ask an ID from IANA. Nobody is allowed to share their custom types on demand, they must first come to us". Finally, Cthulhu itself showed up, saw what they did, and said, "Puny insects, you can't design a protocol even if you tried. Protocols are tame unless they are difficult to manage and fail often". And everyone lost their minds and yelled "Let's make it painfully difficult to administrate! Let's add the worst databases the world has seen! Let's make it the most unaccessible service on Earth! Let's make DNS look like a failsafe service!".

This photograph [imgur.com] was taken at the end of this meeting. It was 4th of July, and the engineers went outside while Washington DC was having a parade. A peaceful photo is superimposed to reduce trauma on the unlucky ones that choose to see it.

Re:Thanks, now I know what LDAP is (1)

WebManWalking (1225366) | more than 3 years ago | (#37251962)

I agree with what you said. ((Please moderate parent up.))

But I can't help but wonder if they're talking about Lion Server, which is optional and costs significantly extra. I don't see "PoS Directory/Authentication Mess" in the Sharing preference pane.

Re:Thanks, now I know what LDAP is (1)

rakaur (984920) | more than 3 years ago | (#37268528)

I agree with what you said. ((Please moderate parent up.))

Wow, so that's how the moderation works on Slashdot. I knew it!

Re:Thanks, now I know what LDAP is (2)

LordKronos (470910) | more than 3 years ago | (#37255542)

Wow. That's one very pessimistic view of LDAP, from someone who probably hasn't spent enough time using LDAP in the way it should be used in order to appreciate it's featues. So lets just address a few of your complaints (sorry if I miss anything, but it's sort of hard to quote and address things when you basically turned your post into work of literary fiction).

1) Supporting authentication is a bad thing? Really? So you have a DB-like source with loads of info about everything and everybody in your organization, and you don't think it's a good thing that people should have to authenticate before seeing it? Or that certain bits of info should only be available to certain users (which is impossible to do without authentication)? Or that while some people should only be able to view it, certain people can edit it, and different people may need to have rights to edit different bits of information (again, impossible without authentication)? I think you are totally off base here

2) Once authentication is there, you think it's a bad thing that we reuse this authentication to authenticate other services? You would rather create 2 separate sets of authentication credentials...one for the LDAP server, and one for the other servers? When you consider some of the purposes of LDAP, like being able to manage groups of users, and that on other servers you will want to reference those groups (like say, only users from department X can access this folder, and department X is defined as a group on the LDAP server), it doesn't make sense to want to do the authentication against LDAP since we'll also be doing the group member verification against LDAP?

3) I'm pretty sure you've got your security ordering mixed up. LDAPS came before TLS. TLS sort of unifies the two methods.

4) About the structure of the objects, LDAP is nicely extendable. It provides you a way to add features and services to accounts, so you can say "this entry is for a person", and then you get available to you only the attributes that apply to a person. Then you can take a subset of those accounts and say "these particular accounts have unix shell accounts" and then you get available to you additional attributes that apply specifically to the unix shell account. You can require that some of these new attributes be required, some optional, and you also assure that no entries will have these extra attributes set unless they've been designated as having that objectclass.

This extensible structure is sort of an alternative to how a relational DB would do it. In the DB, you would have to have a bunch of separate tables for all of the different services, and then link the tables together (so a generic object table, and then link that to a table for people, and then link that to another table for unix shell accounts, etc). Doing a query and joining all of those tables together can actually be quite a pain. With LDAP, you can simplay say "give me all objects that are for people with unix shell accounts". The query would be something like (&(objectclass=person)(objectclass=unixaccount)). That's it, and it will get you all the info about the object. By contrast, the query you'd do in SQL would be SELECT * FROM object INNER JOIN person ON object.id=person.object_id INNER JOIN unixaccount ON object.id=unixaccount.object_id. Which one is simpler? Now try to go further...try to get a list of everything that matches any of multiple criteria (example, has a unix account OR an email account). In SQL you'l have to start doing outer joins. Then filter it further...only get accounts where they've logged in to either system during the past 30 days. The LDAP filter would be something like
(&
      (objectclass=person)
      (|
              (&(objectclass=unixaccount)(unixlogindate>=20110801))
              (&(objectclass=emailaccount)(emaillogindate>=20110801))
        )
)

You could actually simplify that query if you've got your logindate fields indexed, but you don't always have fields indexed, so filtering by the objectclass is always a good idea. The point is, that's a LOT simpler than the query you'd write to do it in SQL. And if you want to see an object, with every type of account, service, etc that it is configured for, you don't have to do an join of every single table in your DB, or do a multistage query where you first lookup what accounts/service they have and then requery for those specific ones. You simply ask for the object and it gives you back ALL of the info available for that account.

And then when you get back your result, if you've got any multivalued attributes (for instance, a user could have multitple aliases for their name), you don't have to iterate through multiple rows and figure out which ones group together as part of the same object, the way you do in a DB result. You get back one single object, and when you look at a multivalued attribute, you see an array containing the multiple values.

For certain types of work, it is a much nicer interface to deal with and script against that having to get it all from a DB. At times it has it's failings, but more often than not it seems like the right tool for the job.

5) So onto I think your last point, about exporting custom data. You don't need to get any permission to create your own data types. We do it all the time. It takes just a minute to do. However, if you want it to be a standardized attribute that a lot of people will use outside your organization, then yeah it makes sense to get an OID assigned to it, but it's not something we ever needed to do.

I've probably spent way too much time replying to you, but since you got modded up, I thought it would be good for other slashdotters to see the other side of the story, from someone who actually appreciates LDAP for what it has to offer.

Re:Thanks, now I know what LDAP is (1)

elsurexiste (1758620) | more than 3 years ago | (#37257772)

To be honest, I was aiming for "Funny", but got "Informative" instead. Since we are serious, I guess I'll answer like an adult :) . Believe me, I spent too many hours on LDAP to have any love for it. I even contributed a few scripting lines to the OpenLDAP page in Ubuntu. Just look at Amplicate and you'll see I'm not alone ;) .

I'm not against authenticating. I would have liked authentication and LDAP to be defined/handled separately, though, not in a single protocol. Everything ends up cleaner. LDAP remains as a truly lightweight directory access protocol, it defines operations and that's that. It's not even a new idea: Kerberos is just an authentication protocol. That would have saved us from the present situation: we authenticate against LDAP not to see its contents, but to know if we can authenticate. If we use a relational database instead of a hierarchical one, we may as well use PostgreSQL or SQL Server just to know if the user is allowed to proceed instead of querying its data. Sounds too much like a hack, even if we query data about users and groups once they log on.

I mixed up TLS and ldaps, you got that right. I guess it was the port numbers.

For some reason, when I started filling objects, I thought they were more like prototypes, not classes. Maybe because I was too influenced by Self or Python. Or maybe because I expect information about an account to be fixed and predictable, but not for a person. After all, when I put people in my contact list, I add info about them that's not defined on the metadata, like T-Shirt size. In my particular case, I needed to add a PGP fingerprint to a bunch of people. So, I had to create a whole new class to store a single piece of additional data.

Although you surely know it, you can use views to speed the whole stuff up in RDBs. Oracle offers an LDAP solution built on top of its relational database, after all. As to which is simpler... I agree that's is small and somewhat legible, but it's like saying DVORAK keyboards are faster. Nobody would say otherwise, yet the number of people that uses it is smaller.

Which leads us to the syntax. Whereas I just complain about authentication and ldaps/StartTLS, the syntax really anguishes me. Especially the domain component chains. I understand that the protocol is old, but why do we keep using dn: cn=John Doe,dc=example,dc=com. I suffered because I had a domain once that was goddamn large, so I had to painfully type it again and again.

As for command line interfaces... I guess it's vendor-independent because I hated OpenLDAP while a friend raged against ActiveDirectory. Administration with the CLI is hard as hell. I don't doubt you are experienced on it, but grant me that it isn't user-friendly.

Finally, naturally I didn't went to IANA for an OID, but they advise you to use one if you want to share it... which is crazy nonetheless. If a schema is private, the most likely place to get the latest version is with that private party.

I know we aren't going to completely convince the other one, but you are right, I have to give a clear message if people are to decide objectively.

but... (0, Troll)

halfEvilTech (1171369) | more than 3 years ago | (#37245714)

aren't Macs suppose to be secure. at least thats what the I'm a mac commercials always told us.

Re:but... (-1)

Anonymous Coward | more than 3 years ago | (#37245738)

They don't get viruses. This isn't a virus, it is just a leak.

Re:but... (0)

Anonymous Coward | more than 3 years ago | (#37245938)

and, of course, they don't get viruses because steve jobs personally puts a magic bean in every unit to avoid such unpleasantness.

Re:but... (0)

Anonymous Coward | more than 3 years ago | (#37245982)

wonder if Tim Cook will take up that time honored tradition now...

Re:but... (1)

Anonymous Coward | more than 3 years ago | (#37245924)

If by "secure" you mean it won't execute W32.Blaster.Worm then yeah, it's secure.

Re:but... (4, Insightful)

dimeglio (456244) | more than 3 years ago | (#37245942)

Well the Mac in this case is the threat and not the vulnerability. So from that perspective, the Mac itself remains secure.

Re:but... (1)

Anonymous Coward | more than 3 years ago | (#37247520)

Well the Mac in this case is the threat and not the vulnerability. So from that perspective, the Mac itself remains secure.

Actually, in this case the Mac is a vulnerability, and thus becomes a threat. From what users are reporting, the Mac doesn't even try to authenticate against the LDAP server. It just accepts any password blindly and let's the user login.

Not a bug with LDAP - just a failure with how Apple has implemented LDAP authentication in OSX Lion.

Re:but... (1)

pandrijeczko (588093) | more than 3 years ago | (#37250658)

Thanks for that great demonstration of the King Canute Computing Principle.

Re:but... (2)

_xeno_ (155264) | more than 3 years ago | (#37245988)

No, you remember wrong. The Mac commercials say that, unlike a PC, everything just works and you won't get viruses.

Now if I try and access "Important Trade Secrets.pdf" and get told "Access Denied," that's not "just working," is it? So instead, with the new Mac OS X Lion, instead of giving you an "access denied" message when you try and access that file, it just loads it up! It just works!

OK, so I'm really confused as to what the vulnerability actually is. And given that the article starts off with "LDAP servers frequently contain repositories of highly sensitive enterprise data," I'm not exactly convinced the author knows what they're talking about either.

But from what I can gather the bug has to do with using Mac OS X Lion as a file server. Once a user has authenticated with the server once, the server starts blindly accepting any credentials it receives, I guess?

So, yeah, "it just works" if all you want to do is access files. Which is all the ads ever talk about.

If, on the other hand, you don't intend to allow everyone access to (the data on?) your entire computer, then maybe you should consider not using Mac OS X as a server.

I think. Who knows. The article is awful.

Re:but... (2)

jo_ham (604554) | more than 3 years ago | (#37246352)

I guess that's what happens when you use OpenLDAP.

Silly Apple.

Re:but... (2)

CharlyFoxtrot (1607527) | more than 3 years ago | (#37246378)

I think. Who knows. The article is awful.

El Reg is a rag, a fun rag but a rag nonetheless. There's been a spate of articles lately attacking Apple's enterprise readiness because of bugs (in a month old OS.) I wonder if that's because they are being used more in enterprise and it's becoming more of a problem or someone's just worried that they might get some traction in business ?

Re:but... (0)

Anonymous Coward | more than 3 years ago | (#37246488)

I see. El Reg is rag, because it refuses to be a paid media shill like Information Week? They must be stopped!!

Re:but... (2)

Doctor_Jest (688315) | more than 3 years ago | (#37248180)

They may not be a "shill"... but their bias is very clearly marked on their collar. :) I have seen them put out false stories and, upon finding they were fake, taking their own sweet time to post a retraction... dunno if that has gotten better over time or not. To be fair, it's not a normal practice, but it sure did seem a while before they retracted...

It's rather like the decided BeOS bias of osnews.com. :) It's obvious, unhidden, and taken with a grain of salt. Their level of scrutiny for anything not BeOS (or Haiku, I suppose) was legendary. It was pretty heavy biased toward windows with the new editor... I stopped reading when the community became Microsoft Apologists... there's only so much drivel one can take. :) heheh.

Bias is fine, if a publication stops trying to hide it. :)

Re:but... (-1, Troll)

Anonymous Coward | more than 3 years ago | (#37246010)

Not only are they secure, but they create a cult like atmosphere that cannot be eclipsed by any other cult zealotry. They will clean your house, and your a$$ at the same time. Everything will just be better when using a Mac even your sex life. Although the absolute greatest part about them is that only a short few months after converting to the cult, you become omnipotent and on your way to the sainthood in the shadow of all mighty Jobs himself.

Re:but... (0)

stewbacca (1033764) | more than 3 years ago | (#37252562)

Wow, somebody has insecurity issues.

Re:but... (0)

Anonymous Coward | more than 3 years ago | (#37246068)

Jealous of people who can afford a real computer? I bet you're a Linux or Windows user. It shows.
 
In the meantime, OSX is still the most secure OS out there on the consumer market today. Sorry if that burns you but it is true.

Re:but... (1)

Mitchell314 (1576581) | more than 3 years ago | (#37246312)

lol, I'm a mac user but even I'll never claim that they're the most secure OS. IIRC Apple has an even more horrible track record of addressing bugs than MS.

Of course, the best (and hardest to achieve) security comes from smart vigilant system admin and smart users. The best operating systems can do is to make their work easier and not undercut their efforts (with serious vulnerabilities, autoplay, weak permissions, etc).

Re:but... (1)

tibit (1762298) | more than 3 years ago | (#37246426)

I've been running Fedora Core on an iMac for a good while. Mostly to play Doom 3 and Quake 4 -- somehow those games never get tiring for me. Yep, I'm too cheap to shell $50 or so out for an OS X version of the same :)

Re:but... (0)

Anonymous Coward | more than 3 years ago | (#37246862)

You're probably a lying cunt too but we'll address that later. but for now you just keep sucking on that Linux dick. It serves you well.

Re:but... (0)

Anonymous Coward | more than 3 years ago | (#37246942)

I'd be willing to bet money there are more Mac users that suck dick compared to Linux users ... just saying!

Re:but... (0)

Anonymous Coward | more than 3 years ago | (#37247720)

No. Linfux users take it up the ass from dirty faggots. They love the dick. They worship the dick. Tux kinda looks like a dick and they love it in the ass.

Re:but... (0)

Anonymous Coward | more than 3 years ago | (#37248892)

That is how I bought my Mac. I only had to suck 753 dicks before I made the trip to the Apple store.

Re:but... (1)

smash (1351) | more than 3 years ago | (#37250678)

Yeah, they're called girls.

Commander Taco was wrong (0)

Anonymous Coward | more than 3 years ago | (#37245804)

I know Taco used to extol Mac security, and now that he's dead and gone we can't use this as evidence to prove him wrong. Rest in peace my friend; I'll miss these spirited debates.

User Error (1, Funny)

notKevinJohn (2218940) | more than 3 years ago | (#37245836)

Don't worry, I am sure Apple will soon release a statement explaining that LDAP works on Lion as long as you hold your laptop in the correct way.

Security theater a little (3, Informative)

vlm (69642) | more than 3 years ago | (#37245842)

Once we own an LDAP server we own everything

Uhhh, say what?

I guess you could learn my cellphone number, but seeing as its somewhere in between 000-000-0000 and 999-999-9999 its not top secret. I suppose you could change my home directory to /tmp, just to piss me off, at least for a little while. You could delete my ldap account, now that would thoroughly annoy me until I restored the ldap server data from its backup...

Part of the problem is I've never seen a LDAP deployment without its buddy kerberos doing the password stuff. I guess its possible to use LDAP to do passwords, but I've never done it. I would think it would be kind of awkward, like using cfengine to do moves/adds/changes inside your passwd file. Maybe there exists a linux PAM module to change passwords etc inside LDAP, creating ldif files and running ldapmodify to change my password would get old real quick. I would guess the testers probably didn't even set up to do something that weird, assuming everyone would use kerberos with ldap.

I suppose if you consider nuclear missile launch codes to be "directory information" and thus keep them in your ldap, or more realistically keypad door combinations, then you could be in big trouble. Medical records at a hospital in a LDAP?

Re:Security theater a little (1)

boxxa (925862) | more than 3 years ago | (#37245916)

LDAP if interfacing with AD can get you user credentials for domain admins, server admins, server name objects, login history with IP ranges, etc. Simply a user login can get you email access to anyone in the company and I am sure no matter what company you work for, your CEO would not be happy with their emails getting leaked.

Re:Security theater a little (0)

vlm (69642) | more than 3 years ago | (#37245968)

ah ha. I'd never used LDAP / kerberos / AFS on a microsoft platform. Sounds like they built themselves a mighty single point of failure there... login history via ldap? Geeze.

Re:Security theater a little (1)

Kalriath (849904) | more than 3 years ago | (#37247218)

Actually, the login history is stored in the event log if auditing is enabled - the LDAP user store contains only the last login date, nothing more. You also cannot get the password from Active Directory (you have to crack the SAM on the server). You certainly can't access the mailboxes using only the details in AD since you have to authenticate with the Exchange server using a valid Kerberos ticket (NTLM requires you already have the password) to get those.

Re:Security theater a little (1)

LordLimecat (1103839) | more than 3 years ago | (#37250026)

I dont believe that the user password hashes are stored in the local SAM of a domain controller; Im fairly certain it is stored within directory services. Certainly samdump does nothing on a DC.

Re:Security theater a little (1)

Kalriath (849904) | more than 3 years ago | (#37258916)

You might be right actually - I believe there is an attribute within ADS which is only visible to administrators which may contain the (irreversible) password hash.

Re:Security theater a little (1)

LordLimecat (1103839) | more than 3 years ago | (#37261448)

I found this out when we had to do password recovery on a DC, without either the domain password or the AD repair mode password. Its a multistep process, where you first have to use a boot disk to reset the recovery mode password, boot into directory services restore mode, and then change the domain admin password. The bootdisk is unable to do anything to domain passwords, because theyre not stored in registry.

Re:Security theater a little (5, Informative)

Spad (470073) | more than 3 years ago | (#37245996)

*IF* this vulnerability allowed you to authenticate to AD Domain Controllers with administrative rights then you would be able to dump the SAM database and potentially gain access to all of the user credentials, but then if you could authenticate to a DC as an admin why would you bother when you can just setup your own credentials or modify account permissions directly?

But it doesn't, so you're getting usernames, machine names, a bit of contact info, a lastlogontimestamp and a few other bits and pieces that in most cases anyone with regular user credentials on the domain would be able to access anyway (Most people don't seem to realise that a lot of fields on AD accounts are readable by any authenticated user).

Except you're not even getting that because as far as I can tell this only affects logging on locally to an OSX Lion client.

Storm, meet Teacup.

Re:Security theater a little (1)

v1 (525388) | more than 3 years ago | (#37246348)

it's also worth noting that the LDAP database, though encrypted, can have its password reset if you know which bits to twiddle. the server has to be able to access it, after all.

But that's true of any system that doesn't require a password during boot

Re:Security theater a little (0)

Jeremi (14640) | more than 3 years ago | (#37250176)

Storm, meet Teacup.

Worst X-Men episode ever.

Re:Security theater a little (1)

0100010001010011 (652467) | more than 3 years ago | (#37245936)

They're using LDAP for authentication.

Meaning if we have a network of linux, windows, mac, etc machines all served by a LDAP backend run on Lion, then I can login as you.

Re:Security theater a little (1)

vlm (69642) | more than 3 years ago | (#37246042)

They're using LDAP for authentication.

Meaning if we have a network of linux, windows, mac, etc machines all served by a LDAP backend run on Lion, then I can login as you.

Yeah that's exactly what I meant, I didn't know anyone did that. Currently and always LDAP for directory stuff (full name, uid, home dir) and kerberos for password auth everywhere I've ever been. Never seen a place with just ldap deployed, but then I've pretty much avoided hard core microsoft areas, per posts above thats just how those guys roll. I would imagine doing password auth over ldap is kinda like serving up web pages on the internet over nfs instead of http, I mean you could do it, but isn't it ... just wrong? I mean outta the box, ldap isn't even authenticated and encrypted itself, is it? Is ldap even theoretically capable of preventing a MITM attack (maybe using SSL?) Use the right tool for the job and do auth in kerberos...

Re:Security theater a little (2, Informative)

Anonymous Coward | more than 3 years ago | (#37246308)

Yeah that's exactly what I meant, I didn't know anyone did that. Currently and always LDAP for directory stuff (full name, uid, home dir) and kerberos for password auth everywhere I've ever been. Never seen a place with just ldap deployed, but then I've pretty much avoided hard core microsoft areas, per posts above thats just how those guys roll. I would imagine doing password auth over ldap is kinda like serving up web pages on the internet over nfs instead of http, I mean you could do it, but isn't it ... just wrong? I mean outta the box, ldap isn't even authenticated and encrypted itself, is it? Is ldap even theoretically capable of preventing a MITM attack (maybe using SSL?) Use the right tool for the job and do auth in kerberos...

I've worked where LDAP is used for authentication, lots of applications support using just plain LDAP for authentication. However, these applications also support SSL-encrypted LDAP, so the data is secure in transit. LDAPS is what that's called, and it's on port 636.

So companies do use LDAP for authentication, yes. And it can be secure in transit, yes.

Re:Security theater a little (1)

chemosh6969 (632048) | more than 3 years ago | (#37247080)

You're acting as though system/network admins are usually qualified and know what's going on. I usually see guys that talk a lot as if they know what they're doing but don't actually understand what they're saying and rely on people lower on the totem pole to actually get anything done. Now you just have to rely on those guys to know what they're doing which isn't always the case.

Re:Security theater a little (1)

deniable (76198) | more than 3 years ago | (#37252104)

To be charitable, we're not all incompetent. We're just under-staffed and under-budget. We then get the Boss With Ideas telling us how to run deployments and requiring easy access for the important / loud / connected users.

Re:Security theater a little (2)

Kalriath (849904) | more than 3 years ago | (#37247266)

Contrary to boxxa's completely fabricated post, NT domains aren't that insecure. For a start, Windows uses LDAPS for communication with the LDAP server, and second the authentication is all done using Kerberos v5. Logon history is not accessible over LDAP or even remotely at all short of remote event log viewing, user passwords cannot be retrieved via LDAP and you cannot access anyone's email just by getting some details out of LDAP.

Re:Security theater a little (1)

deniable (76198) | more than 3 years ago | (#37252124)

It would be an interesting training exercise to figure out how you'd make all of that true. You'd most likely have to extend the schema with an 'unencrypted password' field and a direct link to web mail.

Re:Security theater a little (1)

Kalriath (849904) | more than 3 years ago | (#37258926)

Well, if you're running Exchange 5.5 it's easy - if you authenticate as an administrator, Exchange 5.5 will let you open any mailbox.

Re:Security theater a little (1)

deniable (76198) | more than 3 years ago | (#37260686)

You can do it with the right group memberships on the later versions. OK, so we need the administrators password unencrypted in the LDAP.

Re:Security theater a little (1)

smash (1351) | more than 3 years ago | (#37253096)

hush, don't let the facts get in the way of a good headline.

I believe the largest use of LDAP only auth is actually in.... free software. Anything semi-professional generally uses kerberos for auth...

Re:Security theater a little (1)

buchanmilne (258619) | more than 3 years ago | (#37250904)

No. This is a vulnerability in the client-side portion, as if you had configured a linux client with:
auth sufficient pam_permit.so

It should have no effect on any other clients.

Re:Security theater a little (2)

ulzeraj (1009869) | more than 3 years ago | (#37246064)

I've seen quite a few mid-sized companies storing passwords on pure ldap and controlling access through LDAP ACLs allowing only the admin to see the userPassword field besides its owner. You can consult everything else anonymously. Thats pretty common on smbldap-tools and some samba domains managed by SuSE YaST that I've met.

Duplication? (0)

Anonymous Coward | more than 3 years ago | (#37246076)

I have a 10.6.8 ODM with Kerberos. I cannot duplicate the vulnerability cited in the article on 10.7.1 client, so unless this issue exists with domain controllers that ARE using Kerberos, this is a non-issue. I don't even know how you would turn it off unless you didn't setup your domain properly in the first place, and even then you'd get half a dozen warnings that alert you to a misconfiguration, provided you know where to look.

Re:Security theater a little (1)

jimicus (737525) | more than 3 years ago | (#37246184)

Part of the problem is I've never seen a LDAP deployment without its buddy kerberos doing the password stuff. I guess its possible to use LDAP to do passwords, but I've never done it. I would think it would be kind of awkward, like using cfengine to do moves/adds/changes inside your passwd file. Maybe there exists a linux PAM module to change passwords etc inside LDAP, creating ldif files and running ldapmodify to change my password would get old real quick.

I have. There is a PAM module that does an LDAP password update. The biggest problem is that there's about a hundred different ways you can configure it, every Linux distribution makes different assumptions about your environment - assumptions which can change between versions - and this almost invariably leads to interoperability problems. Fortunately they all use the same libraries so you can generally dump a known-good set of config files in the appropriate place in /etc and away you go.

Re:Security theater a little (1)

bk2204 (310841) | more than 3 years ago | (#37249346)

Part of the problem is I've never seen a LDAP deployment without its buddy kerberos doing the password stuff. I guess its possible to use LDAP to do passwords, but I've never done it.

Debian uses LDAP and does not use Kerberos. I presume that they store the passwords in LDAP in the standard fashion.

Re:Security theater a little (1)

smash (1351) | more than 3 years ago | (#37253122)

So you're saying its a debian vulnerability....

Re:Security theater a little (2)

buchanmilne (258619) | more than 3 years ago | (#37250886)

Firstly, this vulnerability has nothing to do with the LDAP server, or owning the LDAP server. It is effectively as if Mac OS X, when configured for LDAP authentication, has a 'auth sufficient pam_permit.so', so the client will accept any username or password. However, this doesn't imply any access to the LDAP server ...

Once we own an LDAP server we own everything

Part of the problem is I've never seen a LDAP deployment without its buddy kerberos doing the password stuff. I guess its possible to use LDAP to do passwords, but I've never done it.

I have a few, where Kerberos is not really viable, and (since almost all access to anything is via ssh with public keys - but stored in LDAP), the passwords aren't really the issue, but the ssh public keys could be replaced ...

I would think it would be kind of awkward, like using cfengine to do moves/adds/changes inside your passwd file.

Why would it be any less awkward than Kerberos (besides the actual SSO part, but if you're not actually doing GSSAPI auth anywhere after login it is irrelevant)?

Maybe there exists a linux PAM module to change passwords etc inside LDAP, creating ldif files and running ldapmodify to change my password would get old real quick.

Almost all Linux distros have tools to configure a box for LDAP authentication, most of them get it right to set 'passwd' up so that it works correctly ... even if you didn't have that, you could use 'ldappasswd' to change your password (but, it is probably a bit too inconvenient for most users).

However, if you have password policies configured (e.g. with slapo-ppolicy on OpenLDAP), and users log in to a display manager, they would be prompted to change their passwords on login (without having to touch the command line), just like you could do with Kerberos.

Not serious... (0)

Anonymous Coward | more than 3 years ago | (#37245848)

This is simply pathetic.
We're talking about basic attack surface testing here. And here goes the "Mac are safer" reality distortion starting again...

Jobs must really be dying. (-1)

HornWumpus (783565) | more than 3 years ago | (#37245970)

The reality distortion field is collapsing.

Is this AD or just straight LDAP? (1)

xrayspx (13127) | more than 3 years ago | (#37245986)

I've been unable to reproduce this with AD authenticated Lion 10.7.1. The stories I've read referenced OpenLDAP and LDAP in general, but I haven't seen AD mentioned yet. Has anyone gotten this to work with AD?

Re:Is this AD or just straight LDAP? (1)

NatasRevol (731260) | more than 3 years ago | (#37246940)

It's an LDAP only issue. If you're using Kerberos/AD, then it's a non-issue.

Re:Is this AD or just straight LDAP? (1)

xrayspx (13127) | more than 3 years ago | (#37261496)

Thanks, the articles and threads available over the weekend were kind of skimpy on detail.

Welcome (0)

Anonymous Coward | more than 3 years ago | (#37246062)

to last week.

Old news is old.

It just works... (0)

Anonymous Coward | more than 3 years ago | (#37246116)

... with any password.

This sounds like an ACL issue. (2)

Zombie Ryushu (803103) | more than 3 years ago | (#37246118)

A few pointers. Don't use LDAP for authentication. use Heimdal Kerberos for authentication (PAM) and use LDAP for authorization. (NSS). Don't let machines bind as cn=Manager. That is very bad should a machine become compromised. Generally, SASL LDAP binds are recommended over simple. Kerberos should bind

And most relevent. Only let users in the People OU bind to their own uid in the suffix.
If you are binding to the tree with cn=Manager, on a regular basis, you deserve what you get, set your ACLs right.

Uh.. What? (3, Insightful)

synthesizerpatel (1210598) | more than 3 years ago | (#37246130)

I'm not quite sure what the 'bug' here is.. First off, Apple's LDAP is 'OpenLDAP'. So. Is this a flaw in OpenLDAP or Apple's configuration for OpenLDAP?

Also.. LDAP is kinda like DNS, except most places don't secure it. To see this in action, download Apache LDAP Studio, connect to your friendly local LDAP server and start browsing around (without authentication).. Most times you can get an almost full LDAP dump from a remote server without authenticating at all. Generally the only 'protected' elements are the passwords. You can enumerate users, groups, etc.

Re:Uh.. What? (0)

Anonymous Coward | more than 3 years ago | (#37246318)

Though neither the summary more the linked article give any details I'm pretty sure the bug here is system-local -- if you have a Lion box setup to do LDAP auth and have previously logged in locally to that box with an LDAP account, you can then login again to that same local account without a good password.

Which is obviously bad in that local data on the machine can be accessed by unauthorized users, but it doesn't actually give you access to any network resources/etc.

Re:Uh.. What? (0)

Anonymous Coward | more than 3 years ago | (#37248474)

Much as I hate Apple, reading the article makes it look more like Apple is exposing an existing a bug in arbitrary LDAP servers.

The talk about Apple, Linux and Windows workstations, but they never mention what OS is running the LDAP authentication server.

1) You log into the Mac using a valid username/password
2) ?You can then log into any arbitrary account with any password, from that Mac?

Call me nuts, but shouldn't the server be handling the user validation? Shouldn't the client be irrelevant (or, more precisely, failure cause a lack of login)? Do they every specify that it is an Apple LDAP server?

Yay for vulnerabilities! (-1)

Anonymous Coward | more than 3 years ago | (#37246132)

Now watch as it takes Apple 2 months to actually patch it, which will actually be a new version of OS X which you have to buy.

You know it'll happen.

- PC. :)

Re:Yay for vulnerabilities! (1)

stewbacca (1033764) | more than 3 years ago | (#37252592)

Or it will be patched within weeks and will be part of the next Software Update. What precedent can you provide that would suggest otherwise?

Last month called, they want their news back (0)

Anonymous Coward | more than 3 years ago | (#37246228)

Seriously, if you're only finding out about this right now... you need to get the f*** out of computing.

Ergh, horrible article is horrible. (1)

Darkinspiration (901976) | more than 3 years ago | (#37246344)

Seriously, would it kill them to do better then forum reading and printing post almost verbatim. The issue as i understand it is that if you have a mac os 10.7 open ldap server or apple open directory it will either not let user login or let them login without password. but nobody has any details, or my googlefuu failed me... Still that should have been caught in beta.

This has been on a few sites (4, Informative)

jimicus (737525) | more than 3 years ago | (#37246476)

IMV, it's not as bad as it's made out.

The way LDAP authentication is supposed to work is:

1. Client connects to server to find exactly where in the tree the user's information resides (the user's DN). This is not particularly sensitive - it's usually done either anonymously or with an account with very little privileges.
2. Client drops the connection then tries to re-connect using the DN it found out in (1) and the password supplied by the user.
3. If the server responds that the login has succeeded, let the user use the service. If not, refuse.

A number of people have followed the logs on their LDAP servers and established that OS X Lion isn't carrying out step 2 at all. So provided the user ID supplied is valid, the user can log into the computer.

It's important to note that this process is repeated for every process you want to use. Kerberos makes life a little easier (the server supplies a token to say "This user has logged in OK" and that token can be used to authenticate against services that support Kerberos). In any case, the person is logged into the computer but cannot access network resources. Nevertheless, it's an absurd fault that should have been picked up in testing, I have no idea how it could possibly slip the net.

ho uhm (0)

Anonymous Coward | more than 3 years ago | (#37247926)

I've deployed LDAP Mac enterprise environs.

First of all, I always sort of assumed OpenLDAPs to be pretty much open within the context of a secured network. Not the passwords themselves, but the trees and branches of users and orgs.

Second, me wonders if this has something to do with a feature of Apple's Directory Services/LDAP implementation, which allows the admin to masquerade as *any* user on the system. Essentially, if you have an admin password, you can type in the name of any user in the system, and if you supply the/a admin password, you'll have instant access to any users desktop from the login prompt.

I've tried nothing to recreate or investigate this issue. But the article struck me as not-completely well conceived, so part of me wonders if those who are reporting this bug are simply using an admin password and gaining access to every account - a documented a configurable feature - and reporting it as a massive security flaw.

Brilliant cover up (0)

cheesecake23 (1110663) | more than 3 years ago | (#37248204)

a bit of Apple news from late last week that got overshadowed by the headlines about Steve Jobs

1. Discover an embarrassing vulnerability in your OS.
2. Relapse into fatal cancer and resign as CEO, drowning your goof in media noise.
3. ???
4. PROFIT!!!

You have to admire the guy's genius, dedication, and unmatched PR skills ...

Doesn't work with OpenDirectory (1)

gozar (39392) | more than 3 years ago | (#37249116)

I just tried it with a Lion client bound to an OS X 10.6 server using OpenDirectory, and I couldn't replicate the problem.

So is Lion doing something non-standard when connecting to OpenLDAP servers? I noticed that in the main thread it was mentioned that they weren't using the full Apple LDAP schema.

Servers? (1)

justforgetme (1814588) | more than 3 years ago | (#37251238)

You use mac OSX on servers? and what do you do with linux then?

Re:Servers? (1)

catmistake (814204) | more than 3 years ago | (#37251340)

and what do you do with linux then?

Linux is for Windows fail. Microsoft breaks it... Linux fixes it. That is its prime reason for existing. The fact that Linux makes a fast, stable server platform is purely an unintended side-effect, call it a happy accident, of not being Windows.

More serious than some might think. (0)

Anonymous Coward | more than 3 years ago | (#37252370)

This is a show stopper for us in deploying Lion,
We are a Linux (SL 5.5) and OS X site, Linux on all servers/cluster, OS X on all desktops. All passwords are stored on an OpenLDAP server and home directories on NFS3/4 fileservers.
What this means is this:
Person A can login into their account on an OS X Lion machine, their home directory is attached via NFS and everything works as expected. Person A then does a logout.
Person A then logs back in but enters Person B's name and anything they like for the password, the OS X machine does not reject the password but accepts it and logs A in as B complete with attaching their NFS directory. Person A can now access anybodies files they like because Lion ignores the password.
A serious serious case, of course you may argue that root could do this anyway exploiting the known loopsholes in NFS but the point is this is not a root loophole this is a user doing it.
Until this is fixed Lion is not going on our desktop machines.

Possible Solution (1)

Alan Evans (875505) | more than 3 years ago | (#37257724)

My company uses OpenLDAP for user authentication in the datacenter and ran across a strange problem that seems very similar to this. It was present in at least OpenLDAP 2.4.16. We tracked it down to a weird problem in the password policy overlay. If I recall right it was the password policy overlay was returning a successful response to updating the last failed login time attribute but that was being passed up and causing binds to return true also. Our solution was to remove the password policy overlay and we have not gone back to revisit it.

I do not know if OpenLDAP in Lion uses the password policy overlay but if it does it would be an easy test to disable it and see if the problem persists. I post here because I don't really feel like registering to a Mac related forum that I will only post once on. I hope someone finds this and finds it useful.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?