Store LDAP domain as credential source for LDAP external accounts
Open, LowPublic

Description

There's an administrator privilege escalation possible with LDAP now:

  1. Point the LDAP adapter at a new server you control.
  2. Create all the user accounts with password "asdf".
  3. Escalate from an administrator account to any account with LDAP.

This isn't normally possible because external account domains store the server identity, but for LDAP they're all still "self". T887 will fix this, but this is a special case with security implications (the other cases do not have those implications).

epriestley updated the task description. (Show Details)
epriestley raised the priority of this task from to Low.
epriestley added projects: Security, Auth.
epriestley added a subscriber: epriestley.
eadler added a subscriber: eadler.Apr 28 2015, 3:52 AM

This escalation requires control of DNS/networking or something to point phabricator at the new LDAP server, correct?

No -- you point Phabricator at the new LDAP server by using a compromised administrative account and going to AuthLDAP and changing ldap.mycompany.com to ldap.evil.com.

This phrasing was unclear:

administrator privilege escalation

I mean "if you compromise an administrator account, you can escalate from that to any other account", not "you can escalate to administrative privileges from [some lesser set of privileges]".

escalate from that to any other account

To be precise, any other account which already has an associated link with an external LDAP account.