ServerName Property

Andrew Petro apetro at unicon.net
Tue Sep 4 20:26:38 EDT 2007 

Dom,

[

Without the same registry a ticket issued from Evil.eve.com
wouldn't be found at all in Bobs.files.com ticket registry and therefore fail. 

]

What makes Evil.eve.com and Files.bob.com use different ticket 
registries?  Is it the value of the service request parameter presented 
on ticket validation?  And so if Files.bob.com is duped into validating 
the ticket using a request parameter "service" value of 
Evil.eve.com/login , will Files.bob.com in fact be validating the ticket 
using the same registry as that into which it was issued?

Now, if the CAS server authenticates the service on ticket validation, 
e.g. by requiring a client-side SSL certificate on the request 
authenticating the requesting service, then the exploit is blocked, 
since in that case effectively the CAS server is helping Files.bob.com 
not to be confused about its identity -- in traditional CAS services 
convey their identity to CAS to protect themselves from accidentally 
validating a ticket intended for another application by setting a 
request parameter; requiring in addition or instead a SSL authentication 
of the request amounts to supplementing the service parameter.  In 
principle, one could think of this case in terms of a heavier-duty 
version of setting the serverName parameter in CAS client configuration 
in this respect -- instead of setting that simple string, the web 
application configurer now supplies a whole SSL certificate conveying 
that string.

(Authentication of services validating tickets buys other advantages, of 
course, but in the specific respect of this exploit, in principle it 
merely amounts to supplying this bit of configuration in another way.)

It is true that the exploit relies on both the Adversary's web 
application and the target web application using the same CAS instance.



> However, in your example both Bob and Eve applications are backed by the same
> ticket registry. Without the same registry a ticket issued from Evil.eve.com
> wouldn't be found at all in Bobs.files.com ticket registry and therefore fail. 
>
> If all services backed by the same registry are "friends" is this still an
> security issue.
>
> I would like to add my appreciation for the time you have spend on this. 
>
> Thanks again.
>
> Regards,
>
> Dom
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>

More information about the cas mailing list