Old certificate exploit grants admin access

[Nemecle]

I'm an administrator on a mumble server which is hosted by another company (mumble-server.com) which is not a dedicated server (the only thing we can really do on the server itself is to reboot it), so unfortunately I don't have alot information to provide. Basically, we were in the frenzy of renaming every connected people on the server using puns, but then someone randomly found a nasty exploit: he disconnected, desactivated the certificate check on client side (in setting network, my mumble being in french it's "désactiver le certificat et l'enregistrement des mots de passe"), changed his name in the server connection settings to the pseudo of one of the administrators (an old on who doesn't even come anymore) and when he connected... he had all accesses. We narrowed down the possible reasons to the the fact that it is an old certificate, as newer certificates like mine ask for a password on login. We deleted the 'corrupted' certificate on server side, the person is currently unreachable but I'll try to get his client-side certificate for more information.

[mkrautz]

If he activated the "Suppress certificate and password storage", no certificate was sent to the server.

Was he asked for a password when connecting to the server with the name of the person who was previously an admin?

If so, could it perhaps be that that admin used the same password as the one that is used as the server password?

Also, you note in your issue report that "newer" certificates prompt for a password when you connect. That isn't the case. Certificates will not prompt for a password when connecting to a server. Mumble will only ask for a password if the server is password protected. If your user is registered with the server, it should not even prompt for a password, even if the server is password protected.

[Nemecle]

No, he wasn't asked any password; also, it does ask for a password if you don't have the correct certificate: as your are one of the developers, I think you know the code better than I do, so it might be a translation mistake When I change my certificate for a dummy one but try to connect under my admin username I have this: It says in french: "bad certificate or password for registered user. If you are sure that this user is password protected, please try again. Otherwise, cancel the operation and check your certificate and username"

[mkrautz]

Yes, if you connect using a certificate different to the one that is registered, you will get the prompt.

Filling out the password field is only valid if your user has a password set (then it will be the user's password), or if there is a server password set (then the password you put in there can be the server password).

[mkrautz]

When you check the connection info of the person who connected with the user name of the person who was previously an admin, can you confirm that no certificate is shown there? That is, that the user surely is not connected with a client certificate.

Also, do you have a server password set for the server?

[Nemecle]

I can no longer check it as we deleted the admin user on the client side: also, it's a public server, so we don't have a server password Sorry for the lack of information

[mkrautz]

OK. (I know this is separate from your reported issue, but...) I am curious how you log in then, if you get the prompt you showed above.

Does your Mumble host allow you to set passwords for users? If not, what password do you type in there? (Obviously, do not tell me). Because if it isn't the server password, and it isn't a password for your user... What is it?

It should not let you through if it is neither of the above.

So, I guess my question is... Do you get the dialog shown above? On every login? And you can log in, even when you connect with a wrong certificate?

[mkrautz]

Also, a question to the initial bug report:

Was the admin in question deleted when the other user tried to connect with his or her name?

Or not yet deleted?

[Nemecle]

Yeah sure no problem, this issue seems doomed as I don't have enough information anyway I don't think so, at least I don't know how to do it and never saw such an option; I have no idea of which password to type in, I've never passed this pop-up The admin was not deleted before, he still has (had) his access and the rare times he comes he still have (or at least had) admin privileges: it was deleted server-side after the incident

[Nemecle]

By the way of you want to see the pop-up by yourself, you can try to connect on demeter.mumbe-serveur.com, port 18036 with the username "nemecle", you should have the same message

[Krzmbrzl]

Is this reproducable with Mumble 1.3? The provided example-server doesn't seem to exist anymore, so I can't check

[no-response[bot]]

This issue has been automatically closed because there has been no response to our request for more information. With only the information that is currently in the issue, we don't have enough information to take action.

Please reach out if you have or find the answers we need so that we can investigate further (or if you feel like this issue shouldn't be closed for another reason).