lafikl / yubico-yubiserve

Automatically exported from code.google.com/p/yubico-yubiserve
GNU General Public License v3.0
1 stars 0 forks source link

[security breach] Making the server fail #23

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Send to the validation server the OTP 
"&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&"
2. Observe how the server does not answer anything

What is the expected output? What do you see instead?
Expected output is BAD_OTP. However, there is no output at all instead.

What version of the product are you using? On what operating system?
SVN version on gentoo

Please provide any additional information below.
The problem might lie in the regex check in yubiserve.py:113. We are not 
checking that the regex actually matched. Indeed, the code seems to expect the 
call to group(1/2) to raise an IndexError and to treat it accordingly.

However, the manual states that such exceptions are only raised if you try to 
get a number higher than the actual number of groups *defined* in the regex. If 
the group exists in the regex but was not found, no exception is generated and 
a None value is returned. Here, the if is therefore false (but nothing is 
raised) and nothing is done.

Original issue reported on code.google.com by Eltrai on 28 Jan 2013 at 8:12

GoogleCodeExporter commented 9 years ago
I am aware of a number of ways to get no output at all.  I guess we should try 
and ensure that if something unexpected happens, it does return BAD_OTP rather 
than nothing.  

Original comment by n...@linuxsolutions.co.nz on 28 Jan 2013 at 8:31

GoogleCodeExporter commented 9 years ago
Well, the main problem I find in having no output is that the application 
relying on the validation server (typically, our pam-yubico) will assume 
yubiserve is down which may (depending on how strict you are) trigger a 
fallback policy (what we are doing in this case is allowing the login to bypass 
the 2-step auth, with a broadcasted warning). Therefore, this technique is an 
efficient way of bypassing the entire OTP system.

Original comment by Eltrai on 29 Jan 2013 at 1:02

GoogleCodeExporter commented 9 years ago
I agree we need to fix it.  I had not look into the behavior of pam-yubico when 
a blank response is received. 

From my testing, I am getting the error with urllib.unquote_plus, where it does 
not throw an exception, but seems to exit, if it is passed an empty string.

http://code.google.com/p/yubico-yubiserve/source/browse/trunk/yubiserve.py#219

In my test, I added:

  if len(keyVal[0]) == 0:
     print "error"
     return dict

at line 218.

Original comment by glen.ogilvie@gmail.com on 29 Jan 2013 at 2:50

GoogleCodeExporter commented 9 years ago
I've made some changes, committed in r57 to check the input a little more and 
output an error.

Please feel free to test it and find other issues, or let me know if I've 
missing something.

Original comment by glen.ogilvie@gmail.com on 29 Jan 2013 at 5:24

GoogleCodeExporter commented 9 years ago
The patch fixes the problem for me. Thanks a lot !

Original comment by Eltrai on 4 Feb 2013 at 2:48

GoogleCodeExporter commented 9 years ago
patch resolves issue.

Possible redundant try / catch, line 119.

Original comment by glen.ogilvie@gmail.com on 4 Feb 2013 at 10:33