Discussion:
[gt-user] Grid mapfile double-quote injection vulnerability
Paul Hopkins
2014-10-16 14:11:50 UTC
Permalink
Hi all,

We currently use Globus tools within our organisation to allow our users to
access a number of compute clusters. To manage the grid mapfiles across all
of the cluster sites we have developed software that periodically downloads
information from a central LDAP and updates the mapfile at each site. In
order for users to manage their own grid subjects there is a webpage which
allows the user to enter their grid subjects and these are then stored
unsanitised in the LDAP. We have now realised that by adding extra
double-quotes characters it is possible for users to enter malicious
subjects entries which would allow them to login to other peoples accounts.
For example if I enter a subject

/DC=org/DC=cilogon/C=US/O=LIGO/CN=Paul Hopkins ***@ligo.org"
albert.einstein "

Then our tool would enter it into the mapfile as:

"/DC=org/DC=cilogon/C=US/O=LIGO/CN=Paul Hopkins ***@ligo.org"
albert.einstein ""
paul.hopkins

which allows me to login as albert.einstein.

I realise that the problem is entirely our own creation and we have now
made steps to prevent unescaped double quotes from being allowed through.
However, during my research I found that the Globus tool
grid-mapfile-add-entry also allows one to insert potentially dangerous
subject entries. For example:

# SUBJECT='/DC=org/DC=example/DC=grid/CN=Joe User" root "'
# grid-mapfile-add-entry -dn "${SUBJECT}" -ln joe.user
Modifying /etc/grid-security/grid-mapfile ...
New entry:
"/DC=org/DC=example/DC=grid/CN=Joe User" root "" joe.user

Furthermore, grid-mapfile-check-consistency does not pick up on the problem
either. However, it does complain if you separate the user list with a
comma and a space:

Checking /etc/grid-security/grid-mapfile grid mapfile
Verifying grid mapfile existence...OK
Checking for duplicate entries...
ERROR: Missing double quotes in the following entry:
"/DC=org/DC=cilogon/C=US/O=LIGO/CN=Paul Hopkins ***@ligo.org"
paul.hopkins, joe.user
OK
Checking for valid user names...OK

I wonder if it is sufficient to just check for unescaped double quotes? It
may be possible to use new-lines but our workflow does not allow this. Is
there any other things we should be looking for? Should the Globus tools
pick up on these problems?

Thanks in advance,

Paul
--
Paul Hopkins
Computational Infrastructure Scientist
Cardiff University

***@astro.cf.ac.uk
Office: +44 (0)2920 876964
Joseph Bester
2014-10-16 19:14:03 UTC
Permalink
These are intended to be used by sysadmins, and it's pretty explicit about what it does, so it should hopefully be clear when weird things are being added to the gridmap.

That said, it would be good to have some better error checking:
- Escape quotes in the DN passed on the command-line
- Check that the LN strings are valid usernames before they get mushed together into a shell
string separated by whitespace
- Improve the gridmap parsing in the part that checks if the DN is already in the gridmap

As to your other question about newlines, the gridmap parser that the services use parses a line at a time, so I don't think newlines in quoted strings should affect it at all.

I've added an issue into our tracker, though I think it's a fairly low priority issue https://globus.atlassian.net/browse/GT-564

Joe
Post by Paul Hopkins
Hi all,
We currently use Globus tools within our organisation to allow our users to access a number of compute clusters. To manage the grid mapfiles across all of the cluster sites we have developed software that periodically downloads information from a central LDAP and updates the mapfile at each site. In order for users to manage their own grid subjects there is a webpage which allows the user to enter their grid subjects and these are then stored unsanitised in the LDAP. We have now realised that by adding extra double-quotes characters it is possible for users to enter malicious subjects entries which would allow them to login to other peoples accounts. For example if I enter a subject
which allows me to login as albert.einstein.
# SUBJECT='/DC=org/DC=example/DC=grid/CN=Joe User" root "'
# grid-mapfile-add-entry -dn "${SUBJECT}" -ln joe.user
Modifying /etc/grid-security/grid-mapfile ...
"/DC=org/DC=example/DC=grid/CN=Joe User" root "" joe.user
Checking /etc/grid-security/grid-mapfile grid mapfile
Verifying grid mapfile existence...OK
Checking for duplicate entries...
OK
Checking for valid user names...OK
I wonder if it is sufficient to just check for unescaped double quotes? It may be possible to use new-lines but our workflow does not allow this. Is there any other things we should be looking for? Should the Globus tools pick up on these problems?
Thanks in advance,
Paul
--
Paul Hopkins
Computational Infrastructure Scientist
Cardiff University
Office: +44 (0)2920 876964
Paul Hopkins
2014-10-20 08:16:51 UTC
Permalink
Hi Joe,

Thanks for looking at this, this definitely answers my question. So I think
that in our case it is sufficient to just check for unescaped double quotes
in DN strings.

Thanks again,

Paul
Post by Joseph Bester
These are intended to be used by sysadmins, and it's pretty explicit about
what it does, so it should hopefully be clear when weird things are being
added to the gridmap.
- Escape quotes in the DN passed on the command-line
- Check that the LN strings are valid usernames before they get mushed
together into a shell
string separated by whitespace
- Improve the gridmap parsing in the part that checks if the DN is already in the gridmap
As to your other question about newlines, the gridmap parser that the
services use parses a line at a time, so I don't think newlines in quoted
strings should affect it at all.
I've added an issue into our tracker, though I think it's a fairly low
priority issue https://globus.atlassian.net/browse/GT-564
Joe
Post by Paul Hopkins
Hi all,
We currently use Globus tools within our organisation to allow our users
to access a number of compute clusters. To manage the grid mapfiles across
all of the cluster sites we have developed software that periodically
downloads information from a central LDAP and updates the mapfile at each
site. In order for users to manage their own grid subjects there is a
webpage which allows the user to enter their grid subjects and these are
then stored unsanitised in the LDAP. We have now realised that by adding
extra double-quotes characters it is possible for users to enter malicious
subjects entries which would allow them to login to other peoples accounts.
For example if I enter a subject
albert.einstein "
albert.einstein "" paul.hopkins
Post by Paul Hopkins
which allows me to login as albert.einstein.
I realise that the problem is entirely our own creation and we have now
made steps to prevent unescaped double quotes from being allowed through.
However, during my research I found that the Globus tool
grid-mapfile-add-entry also allows one to insert potentially dangerous
Post by Paul Hopkins
# SUBJECT='/DC=org/DC=example/DC=grid/CN=Joe User" root "'
# grid-mapfile-add-entry -dn "${SUBJECT}" -ln joe.user
Modifying /etc/grid-security/grid-mapfile ...
"/DC=org/DC=example/DC=grid/CN=Joe User" root "" joe.user
Furthermore, grid-mapfile-check-consistency does not pick up on the
problem either. However, it does complain if you separate the user list
Post by Paul Hopkins
Checking /etc/grid-security/grid-mapfile grid mapfile
Verifying grid mapfile existence...OK
Checking for duplicate entries...
paul.hopkins, joe.user
Post by Paul Hopkins
OK
Checking for valid user names...OK
I wonder if it is sufficient to just check for unescaped double quotes?
It may be possible to use new-lines but our workflow does not allow this.
Is there any other things we should be looking for? Should the Globus tools
pick up on these problems?
Post by Paul Hopkins
Thanks in advance,
Paul
--
Paul Hopkins
Computational Infrastructure Scientist
Cardiff University
Office: +44 (0)2920 876964
--
Paul Hopkins
Computational Infrastructure Scientist
Cardiff University

***@astro.cf.ac.uk
Office: +44 (0)2920 876964
Loading...