Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: web5123.htm

Groupwise 6 LDAP user authentification bypass



25th Feb 2002 [SBWID-5123]
COMMAND

	Groupwise 6 LDAP user authentification bypass

SYSTEMS AFFECTED

	Groupwise 6

PROBLEM

	Frank Bulk posted :
	

	When in the following configuration :  GroupWise  6  Post  Office  using
	LDAP authentication AND  security  configuration  of  PostOffice  leaves
	LDAP User Name and Password  fields  blank  in  the  Post  Office  Agent
	object in ConsoleOne.
	

	 Exploit : 

	 ========

	

	Run GroupWise as any user (either \"grpwise /@u-?\") OR if you  are  not
	NDS authenticated, whatever the registry has stored as the  last  person
	who logged into GroupWise) and leave the password  blank.  Hit  enter  a
	couple of times and you will get right into the account.
	

	 Note :

	 ======

	

	This isn\'t technically a bug, but a configuration issue. In  accordance
	with the LDAP v3 RFC 2251, an LDAP bind in which a username is  provided
	but a password is not [ie. blank] is treated as an anonymous bind.  This
	means that a bind is granted  to  users  providing  a  username  but  no
	password.  The  bind  granted  is  an  anonymous  bind  but,  based   on
	limitations in the LDAP spec, most LDAP implementations do  not  provide
	any indication that the bind is in fact anonymous. GroupWise  relies  on
	the success or failure of a bind to determine whether a  users  username
	and password is authentic when LDAP authentication  is  being  used  [if
	you put LDAP trace on you will see that blank password become  anonymous
	binds]. The problem is in the RFC, not GroupWise. Once we realized  that
	RFC had the hole, we made a change in the POA.

SOLUTION

	Patch : see TID 10067921, fix FGW62N4.EXE
	

	Workaround :
	

	Without implementing  the  new  code,  the  issue  can  be  resolved  as
	follows: Fill in the LDAP User Name and  Password  fields  in  the  Post
	Office Agent object in ConsoleOne. The LDAP User Name is the  eDirectory
	account that the POA, the Internet Agent, and the  WebAccess  Agent  can
	use to log in to the LDAP server  in  order  to  authenticate  GroupWise
	users.
	

	Pro: this approach to LDAP authentication is faster and  requires  fewer
	connections  to  the  LDAP  server   than   if   each   GroupWise   user
	authenticates to the LDAP server individually.
	

	Con: From within GroupWise, users will not be able to use grace  logins,
	nor will they be able to change their LDAP passwords.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH