If you are unable to create a new account, please email support@bspsoftware.com

 

server configured for SSO will trust any gateway talking to it?

Started by prikala, 18 Feb 2009 05:52:41 AM

Previous topic - Next topic

prikala

Correct me if I am wrong with this: When namespace is configured for SSO, dispatcher (or actually accessmanager/contentmanager) will trust REMOTE_USER from any gateway that can connect to it.

Example:
Initially: gateway is on "realGW" and server (dispatcher&contentmanager) is on
"trustingSRV".
Users are authenticated automatically by web server on "realGW".
When user authenticates, web server sets REMOTE_USER, C8 gateway (on "realGW")
passes that data to C8 server on "trustingSRV" and everything is fine.

Now malicious user that has network access to dispatcer port on "trustingSRV"
wants to run sensitive reports as "bigboss" user. He does not know the
password of "bigboss". He has access to dispatcher because he does
FM modeling from his workstation (and because of FM configuration he also
must know Security/Cryptography/Cognos/Password of cognos configuration
if that is set on the server)

Malicious user installs his very own C8 gw on his workstation and configures
it to use "trunstingSRV" as dispatcher. Next he creates a local operating
system user "bigboss" with password "password" (remember, this is not the password
of "bigboss" in the authentication namespace used by "trustingSRV").
Malicious user then configures his webserver in his workstation to use
os authentication with his c8-gw-virtual directory.
Now malicious user can access his own gateway, identify himself as "bigboss"/"password"
(remember, his private web server uses local OS accounts for authentication). His gateway
sends "bigboss" as REMOTE_USER value. "trustingSRV" trusts REMOTE_USER and
now malicious user is using "trunstingSRV" as "bigboss" with no need to know
the password of "bigboss". All he needed was control of his local workstation,
his own C8 gw and his own web server (IIS).

I actually tested this with following setting:
- C8 server: Linux using ldap namespace configured for SSO
- real GW (not really needed in "attack") Oracle HTTPD/Apache with mod_osso
- Workstation running windows XP

I can access C8 server as any ldap-user I want without knowing any passwords.
All I need is to add users (with the same name as ldap users) as local users
on my XP-workstation.

Is C8 security really this weak or am I missing something?

kolonell

In some points you 're correct .. Inherently REMOTE_USER (R_U) SSO is easily spoofed but that is not something C8 can be held accountable for.

How have you enabled SSO for the LDAP namespace ? Is it possible that you have a replace() macro (in external Identity mapping) that strips out the "DOMAIN\" (or "WORKSTATION\") part from REMOTE_USER ? One workaround for that would be to create users in your LDAP that resemble "DOMAIN\USER" so that locally created users will not match this (as the remote_user for local users will typically be constructed as "WORKSTATION\USER")

prikala

Identity mapping is set as: "(uid=${environment("REMOTE_USER")})".

If spoofing is impossible to avoid (I am starting to believe it is), then simple solution would be:
No sensitive data on development/test servers, production servers behind firewall, only gw computer will have access to dispatcher and FM access in production for only really really good reasons (in fact there should be no need for fm in production).

kolonell

no argument here ..  ;D

another good one would be to use Kerberos but seeing that your CM is running on Linux that is not an option for you