Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth bypass via REGISTER command #1634

Closed
slingamn opened this issue Apr 25, 2021 · 0 comments
Closed

auth bypass via REGISTER command #1634

slingamn opened this issue Apr 25, 2021 · 0 comments
Labels
bug security

Comments

@slingamn
Copy link
Member

slingamn commented Apr 25, 2021
edited
Loading

This appears to originate in 9ed789f, but wasn't caught until @ajaspers reported it today. So the affected releases are 2.4.0, 2.5.0, 2.5.1, and 2.6.0. It is fixed in 2.6.1 and master.

The main vulnerability here is for configurations that enable server.password (not a default) and leave accounts.registration.allow-before-connect enabled (a default). From there, there are four potential configurations:

  1. login-via-pass-command=true, skip-server-password=false (these are the defaults). This configuration is disallowed and fails with the error: Using a server password and login-via-pass-command requires skip-server-password as well
  2. login-via-pass-command=true, skip-server-password=true (i.e., setting skip-server-password to true). This allows an authentication bypass via the REGISTER command (which is allowed before connection registration).
  3. login-via-pass-command=false, skip-server-password=false (i.e., setting login-via-pass-command to false). This does not allow an authentication bypass, but allows unauthenticated users to reserve account names via the REGISTER command, which is a lesser vulnerability
  4. login-via-pass-command=false, skip-server-password=true (i.e., changing both of the default values for these fields); this is an authentication bypass as in case 2.

There is a secondary issue around documenting the interactions between allow-before-connect and require-sasl. This is described in more detail in the changelog:

Private servers that use accounts.require-sasl for protection. If these servers do not additionally set accounts.registration.enabled to false, the REGISTER command can potentially be used to bypass authentication. Affected operators should set accounts.registration.enabled to false; this recommendation appeared in the operator manual but was not emphasized sufficiently. (Configurations that require SASL but allow open registration are potentially valid, e.g., in the case of public servers that require everyone to use a registered account; accordingly, Oragono 2.6.1 continues to permit such configurations.)
@slingamn slingamn changed the title placeholder issue auth bypass via REGISTER command Apr 26, 2021
@slingamn slingamn added the bug label Apr 26, 2021
slingamn added a commit that referenced this issue Apr 26, 2021
@slingamn
Merge pull request #1635 from slingamn/pass
e14aace 
fix #1634 (forward-porting to master)
@slingamn slingamn mentioned this issue Apr 26, 2021
Merged
slingamn added a commit to slingamn/ergo that referenced this issue Apr 27, 2021
@slingamn
add a warning for the ergochat#1634 case
aa27ad9 
Configurations with require-sasl and open account registration are valid,
but likely unintended. Show a warning about them.
slingamn added a commit that referenced this issue Apr 27, 2021
@slingamn
Merge pull request #1637 from slingamn/config_warning
33616df 
add a warning for the #1634 case
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@slingamn