Details
-
Bug
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
3.3.1
-
None
-
None
Description
Group names available from identity management systems, for example sssd, may contain space characters when used with for example Active Directory. such a group name can be used to inject group memberships granting permission to basically any targeted group.
Suppose following scenario:
a) centralized identity management system is used, where organization's responsible roles are defined to allow access to their named groups.
b) group "hdfs" grants hdfs-admin permissions and is managed by authorized personnel only.
c) attacker orders creation of a group named as "uploaderformy hdfs" and the attacker's user account "attacker1" as member of that group.
This will lead to the scenario where ShellBasedUnixGroupsMapping executes group lookup and returns groups uploaderformy and hdfs for the "attacker1" username as TOKEN_SEPARATOR_REGEX contains space character in addition others ("[ \t\n\r\f]").
This bug was found during our own solution based on the ShellBasedUnixGroupsMapping for https://github.com/teragrep/
Other versions may be affected as well.