Lion + LDAP = Authentication Bypass
Around a month ago, Mac OS X Lion (10.7) was found to have a fairly severe vulnerability when configured to use an LDAP server for authentication. In such a configuration, the system accepts any username or password upon login. This affects both the user interface, but also remote login such as SSH. This issue does not affect normal Lion users who haven’t set up an LDAP server.
Details of the issue aren’t well known, and as much as I’d like to reproduce the issue, I’m too lazy to set up an LDAP server to do it. My guess is that OSX queries the LDAP server, but a bug in the authentication and authorization code makes it so that the user is granted access regardless of whether a login failure is received from the server. I’ve heard reports that it’s possible to login using any non-existent username (with some errors about invalid home directories), but then it begs the question: who do you end up logged in as, and what privileges do you have? If you login with a known username, then you get access in the context of that user. I can’t say for certain, but this vulnerability should not allow a user using an invalid password to gain access to network resources that rely on that user’s authentication credentials, just the local system.
Apple hasn’t yet acknowledged the issue as far as I know, and it’s surprising that no patch was issued with 10.7.1. Perhaps a fix will come in the form of a security update, or the upcoming 10.7.2 update. In the meantime, consider disabling LDAP authentication on Lion systems to prevent unauthorised access.
WordPress 3.0.3 Fixes Authorization Issues
Hot on the heels of the previous update that patched an authenticated SQL injection vulnerability, WordPress have released version 3.0.3 which fixes authorization issues in the remote publishing interface. The vulnerability may allow Author and Contributor-level users to improperly edit, publish, or delete posts. WordPress state:
These issues only affect sites that have remote publishing enabled.
I would also add that these issues only affect sites that actually have Author and Contributor-level users. If you’re the only user of your blog, you don’t need to be worried (but update anyway).
Remote publishing is enabled and disabled in Settings > Writing > Remote Publishing.
iPhones Make Automatic Skype Calls
A researcher has found that iPhones can be duped into making Skype calls without first prompting the user. This is due to the way that iOS handles URL Schemes, which are used by applications to launch other applications. Just like http:// tells safari to open the specified website, tel:// informs the phone app to call the specified number. For the key built-in calls, such as tel://, the user is prompted to make sure the action is intended.
Some applications define their own URL Schemes, and Skype is one such app. However these third party apps do not ask for permission before performing actions defined by that URL. This potentially allows websites to track iPhone users (via the Mobile Safari User Agent), and then embed an invisible iframe that forces Skype to open (if installed) and call the number.
<iframe src=”skype://1900expensivepremiumnumber?call”></iframe>
This is just one example of how this can be abused, and there are many other apps which may define their own URL Schemes.
There are two ways this should probably be fixed. Apple should prompt the user before switching to the app specified by the URL Scheme. So in the case of the iframe above, iOS would pop up a warning saying: “This website wants to open Skype”, and the user could click on Ok/Cancel. Secondly, but in some ways more urgent, third party app developers should prompt the user before performing actions based on a URL.
Loading ...
