Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS X Lion LDAP Vulnerability Emerges

Posted by Soulskill on from the mash-keyboard-for-access dept.

hypnosec tips a bit of Apple news from late last week that got overshadowed by the headlines about Steve Jobs. According to El Reg, "People logging in to Macs running OS X 10.7, aka Lion, can access restricted resources using any password they want when the machines use a popular technology known as LDAP for authentication. Short for Lightweight Directory Access Protocol, LDAP servers frequently contain repositories of highly sensitive enterprise data, making them a goldmine to attackers trying to burrow their way into sensitive networks." Initial reports about this bug cropped up less than a week after Lion was released.

2 of 97 comments (clear)

  1. Re:Security theater a little by Spad · · Score: 5, Informative

    *IF* this vulnerability allowed you to authenticate to AD Domain Controllers with administrative rights then you would be able to dump the SAM database and potentially gain access to all of the user credentials, but then if you could authenticate to a DC as an admin why would you bother when you can just setup your own credentials or modify account permissions directly?

    But it doesn't, so you're getting usernames, machine names, a bit of contact info, a lastlogontimestamp and a few other bits and pieces that in most cases anyone with regular user credentials on the domain would be able to access anyway (Most people don't seem to realise that a lot of fields on AD accounts are readable by any authenticated user).

    Except you're not even getting that because as far as I can tell this only affects logging on locally to an OSX Lion client.

    Storm, meet Teacup.

  2. This has been on a few sites by jimicus · · Score: 4, Informative

    IMV, it's not as bad as it's made out.

    The way LDAP authentication is supposed to work is:

    1. Client connects to server to find exactly where in the tree the user's information resides (the user's DN). This is not particularly sensitive - it's usually done either anonymously or with an account with very little privileges.
    2. Client drops the connection then tries to re-connect using the DN it found out in (1) and the password supplied by the user.
    3. If the server responds that the login has succeeded, let the user use the service. If not, refuse.

    A number of people have followed the logs on their LDAP servers and established that OS X Lion isn't carrying out step 2 at all. So provided the user ID supplied is valid, the user can log into the computer.

    It's important to note that this process is repeated for every process you want to use. Kerberos makes life a little easier (the server supplies a token to say "This user has logged in OK" and that token can be used to authenticate against services that support Kerberos). In any case, the person is logged into the computer but cannot access network resources. Nevertheless, it's an absurd fault that should have been picked up in testing, I have no idea how it could possibly slip the net.