From 4cce1663f67892b11c03f2601825f9e256c1ca5b Mon Sep 17 00:00:00 2001 From: William Brown Date: Aug 09 2017 00:03:42 +0000 Subject: Ticket 49336 - SECURITY 1.3.5.x: Locked account provides different return code Backport to 1.3.5.x Bug Description: The directory server password lockout policy prevents binds from operating once a threshold of failed passwords has been met. During this lockout, if you bind with a successful password, a different error code is returned. This means that an attacker has no ratelimit or penalty during an account lock, and can continue to attempt passwords via bruteforce, using the change in return code to ascertain a sucessful password auth. Fix Description: Move the account lock check *before* the password bind check. If the account is locked, we do not mind disclosing this as the attacker will either ignore it (and will not bind anyway), or they will be forced to back off as the attack is not working preventing the bruteforce. https://pagure.io/389-ds-base/issue/49336 Author: wibrown Review by: mreynolds (thanks) --- diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c index 3054c1f..118b623 100644 --- a/ldap/servers/slapd/bind.c +++ b/ldap/servers/slapd/bind.c @@ -722,10 +722,7 @@ do_bind( Slapi_PBlock *pb ) } slapi_pblock_set( pb, SLAPI_PLUGIN, be->be_database ); set_db_default_result_handlers(pb); - if ( (rc != 1) && - (auto_bind || - (((rc = (*be->be_bind)( pb )) == SLAPI_BIND_SUCCESS) || - (rc == SLAPI_BIND_ANONYMOUS))) ) { + if ( rc != 1) { long t; char* authtype = NULL; /* rc is SLAPI_BIND_SUCCESS or SLAPI_BIND_ANONYMOUS */ @@ -783,6 +780,10 @@ do_bind( Slapi_PBlock *pb ) myrc = 0; } if (!auto_bind) { + rc = (*be->be_bind)( pb ); + if (rc != SLAPI_BIND_SUCCESS && rc != SLAPI_BIND_ANONYMOUS) { + goto account_locked; + } /* * There could be a race that bind_target_entry was not added * when bind_target_entry was retrieved before be_bind, but it