The "user" parameter in the HTTP URI "/sip/session/login_password" is inserted into the "run" function from the file "ipautil.py". Then it is passed as an argument to the "subprocess.Popen". As a result, the following list is passed: "args=['/usr/bin/kinit', '{user params}', '-c', /run/ipa/ccaches/kinit_13704', '-T', '/run/ipa/ccaches/armor_13704', '-C', '-E']". If instead of "{user params}" there is a string "-V", then it will be taken as an argument for "kinit". As a result, remote attackers can use options such as "-t", "-X", "-S" or "-I" for DOS, or use the keytab file from the system to log in under participants without a password.
Simple request with "user=-H&password=0000000" With multiple parameters "user=-Vkt&password=0000000"
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=2262169
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2265129
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2265129 https://issues.redhat.com/browse/FREEIPA-10792 (was: https://bugzilla.redhat.com/show_bug.cgi?id=2265129 )
master:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2265129 https://issues.redhat.com/browse/FREEIPA-10792, https://issues.redhat.com/browse/RHEL-26154, https://issues.redhat.com/browse/RHEL-26153 (was: https://bugzilla.redhat.com/show_bug.cgi?id=2265129 https://issues.redhat.com/browse/FREEIPA-10792)
ipa-4-11:
ipa-4-10:
ipa-4-9:
ipa-4-6:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.