Empty Subject NameID causes shibd process to crash
Basics
Technical
Logistics
Basics
Technical
Logistics
Description
If the IdP (tested version Shibboleth IdP v2.4.1 and 2.4.2) sends an empty subject NameID value, the Shibboleth Service Provider process (shibd) will crash.
Steps to reproduce: Configure static data connector with a single empty value. Feed that empty value to a persistentId AttributeDefinition with the NameFormat "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent". Specify this NameFormat as preferred in nameIDFormatPreference in relying-party.xml, DefaultRelyingParty. Release the persistentId attribute to a test SP, and acccess the test SP.
I've filed this as an SP Vulnerability, because I was able to configure a test instance of the IdP to intentionally return an empty NameID value, and intentionally crash any Shibboleth-branded service provider I accessed. It would not be difficult for a malicious party to install an IdP, a local directory for authentication, and target an SP with some publicly available information and cause a denial of service. Some SP operators have configured shibd to auto-restart if it should stop, but many have not.
Versions 2.5.3 and 2.4.3 have been called out specifically, as I have crash confirmations from operators of SPs running those versions. Other versions may be affected as well. Most prominently, current version 2.5.3 is affected. I have not been able to test or confirm behavior on non-Shibboleth-branded Service Providers.
I will be filing a parallel issue under the IdP project, for issuing an assertion with an empty Subject:NameID instead of throwing an error on the IdP side and keeping the user at the IdP.
Log (and likely spot of the crash) indicates this is an authenticated attacker (and one you can in some cases identify as the source), so that's significantly less critical.
Given our schedule, I don't think we'll push this out ahead of getting V3 out the door next month, but I'll pick it up then.
Scott Cantor October 10, 2014 at 4:26 PM
I think this also requires encryption to be in use, otherwise the programmatic validators will catch the empty element. The validators should be run against the decrypted assertion, aside from fixing the actual crash but it may be impractical to fix them all since the validators were meant to be the backtop for not having to check every single dereference.
Fixed
Pinned fields
Click on the next to a field label to start pinning.
If the IdP (tested version Shibboleth IdP v2.4.1 and 2.4.2) sends an empty subject NameID value, the Shibboleth Service Provider process (shibd) will crash.
Steps to reproduce:
Configure static data connector with a single empty value. Feed that empty value to a persistentId AttributeDefinition with the NameFormat "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent". Specify this NameFormat as preferred in nameIDFormatPreference in relying-party.xml, DefaultRelyingParty. Release the persistentId attribute to a test SP, and acccess the test SP.
I've filed this as an SP Vulnerability, because I was able to configure a test instance of the IdP to intentionally return an empty NameID value, and intentionally crash any Shibboleth-branded service provider I accessed. It would not be difficult for a malicious party to install an IdP, a local directory for authentication, and target an SP with some publicly available information and cause a denial of service. Some SP operators have configured shibd to auto-restart if it should stop, but many have not.
Versions 2.5.3 and 2.4.3 have been called out specifically, as I have crash confirmations from operators of SPs running those versions. Other versions may be affected as well. Most prominently, current version 2.5.3 is affected. I have not been able to test or confirm behavior on non-Shibboleth-branded Service Providers.
I will be filing a parallel issue under the IdP project, for issuing an assertion with an empty Subject:NameID instead of throwing an error on the IdP side and keeping the user at the IdP.
3 items follow:
SP Browser Error message
- shibd.log excerpt
- native_warn.log excerpt
More DEBUG-level logs available - just let me know what you'd like to see.
------------------ SP Browser Error
------------------
shibsp::ListenerException
The system encountered an error at Sat Sep 27 21:37:33 2014
To report this problem, please contact the site administrator at mail@domain.edu.
Please include the following message in any email:
shibsp::ListenerException at (https://sp.domain.edu/Shibboleth.sso/SAML2/POST)
Failure receiving response to remoted message (default/SAML2/POST).
------------------ /var/log/shibboleth/shibd.log - starts with decrypted assertion - example of empty NameID received at the SP. The log continues until the time of the crash. Assertion information has been sanitized to remove personal and institutional identifying information. (the signature won't match this edited version of the assertion)
------------------
2014-09-27 21:37:33 DEBUG Shibboleth.SSO.SAML2 [2]: decrypted Assertion: <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_84a49950b64b520903402d047aa570cb" IssueInstant="2014-09-28T02:37:32.115Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.domain.edu/idp/shibboleth</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_84a49950b64b520903402d047aa570cb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>LxFPtdon3FCYDBhT3Jn1h3nwuAA=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>sRDT22VNGIA8xXkZ6yZCprh3kc2j/vwP7ypwk/ECpHhTqZ2D2Ock5tIe4TCz7BalRX6zET1o+YiADxQknU1vSJV/V0IzUqLi407ZFA7fZQKD8IskzMGOvGvBZNpkzg0qQ3UX4cSgAj75s1D/R9YBolGMwMWgIAYxFvkJ9CZDem/qwl9qR24uZQlkxOKiIJ7NiQVi7feOLtlEXK13tbSb7SmkzLPwfI5eQiovPJ+s+bdmn3A6JzR2qukvkwfubUnJDThZJeBoO9Q6xeLLx1M9M/O9PEjW2z0cQgOrjBUhmDEntzuVzd97IU8SvU642mWAoBoQfKkQPjm+s116RJvmXfXzAz/euhcd2PK5MZl1d1D1EHnS30RwgnMyoujNQRxMqZi7M2gJcW8mFddy5FQdl2zQX0p4cUqtpn/fi39TWWEEUgZrkgFyYK0zxapAUN6LQwXAhpm5EvYgr5c0iXZXTYTul4P+8B6z7mfckFfgyc/AdAEg0xg5oE3p5ERy51K3P+B4FNuSrCMdpz4W2VFRxP8hNwuQxOC4BRoguq2m0lv8O+PoH8nkfbo0WZ2Eoor3Bv5BVD/INd6+CTKNY/FG15T8SqcbMsIrlzITCRHZgYkhc0fK02OjETOoozuT4RTaXOevoyLxYeigsucumV9WBzRseV6ZfTojp2GXvo45gNY=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate> – THE IDP CERTIFICATE GOES HERE – </ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.domain.edu/idp/shibboleth" SPNameQualifier="https://sp.domain.edu/shibboleth"/><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData Address="69.29.81.229" InResponseTo="_b4f457c38c07cee52df81f181d422457" NotOnOrAfter="2014-09-28T02:42:32.115Z" Recipient="https://sp.domain.edu/Shibboleth.sso/SAML2/POST"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2014-09-28T02:37:32.115Z" NotOnOrAfter="2014-09-28T02:42:32.115Z"><saml2:AudienceRestriction><saml2:Audience>https://sp.domain.edu/shibboleth</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2014-09-28T02:37:25.683Z" SessionIndex="_fcf157882a3da92e8d8730e94a42f8c8"><saml2:SubjectLocality Address="69.29.81.229"/><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="urn:mace:dir:attribute-def:mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">doej@domain.edu</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="urn:mace:dir:attribute-def:displayName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Doe, John</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="samAccountName" Name="urn:mace:domain.edu:attribute-def:samAccountName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">doej</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="iisAccountName" Name="urn:mace:domain.edu:attribute-def:iisAccountName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">doej</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="urn:mace:domain.edu:attribute-def:emailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">doej@domain.edu</saml2:AttributeValue></saml2:Attribute><saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://idp.domain.edu/idp/shibboleth" SPNameQualifier="https://sp.domain.edu/shibboleth"/></saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">doej@domain.edu</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="urn:mace:dir:attribute-def:sn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Doe</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="urn:mace:domain.edu:attribute-def:department" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Library</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="urn:mace:dir:attribute-def:givenName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">John</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>
2014-09-27 21:37:33 DEBUG Shibboleth.SSO.SAML2 [2]: extracting issuer from SAML 2.0 assertion
2014-09-27 21:37:33 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [2]: evaluating message flow policy (replay checking on, expiration 60)
2014-09-27 21:37:33 DEBUG XMLTooling.StorageService [2]: inserted record (_84a49950b64b520903402d047aa570cb) in context (MessageFlow) with expiration (1411872092)
2014-09-27 21:37:33 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [2]: validating signature profile
2014-09-27 21:37:33 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]: attempting to validate signature with the peer's credentials
2014-09-27 21:37:33 DEBUG XMLTooling.TrustEngine.ExplicitKey [2]: signature validated with credential
2014-09-27 21:37:33 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [2]: signature verified against message issuer
2014-09-27 21:37:33 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation [2]: assertion satisfied bearer confirmation requirements
2014-09-27 21:37:33 DEBUG Shibboleth.SSO.SAML2 [2]: SSO profile processing completed successfully
2014-09-27 21:37:33 DEBUG Shibboleth.SSO.SAML2 [2]: extracting pushed attributes...
2014-09-27 21:37:33 DEBUG Shibboleth.AttributeExtractor.XML [2]: unable to extract attributes, unknown XML object type: saml2p:Response
2014-09-27 21:37:33 DEBUG Shibboleth.AttributeDecoder.NameID [2]: decoding NameIDAttribute (persistent-id) from SAML 2 NameID with Format (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent)
2014-09-27 21:37:33 DEBUG Shibboleth.AttributeExtractor.XML [2]: unable to extract attributes, unknown XML object type: saml2:AuthnStatement
2014-09-27 21:37:33 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:mace:dir:attribute-def:mail
2014-09-27 21:37:33 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:mace:dir:attribute-def:displayName
2014-09-27 21:37:33 DEBUG Shibboleth.AttributeDecoder.String [2]: decoding SimpleAttribute (samaccountname) from SAML 2 Attribute (urn:mace:domain.edu:attribute-def:samAccountName) with 1 value(s)
2014-09-27 21:37:33 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:mace:domain.edu:attribute-def:iisAccountName
2014-09-27 21:37:33 DEBUG Shibboleth.AttributeDecoder.String [2]: decoding SimpleAttribute (email) from SAML 2 Attribute (urn:mace:domain.edu:attribute-def:emailAddress) with 1 value(s)
2014-09-27 21:37:33 DEBUG Shibboleth.AttributeDecoder.NameID [2]: decoding NameIDAttribute (persistent-id) from SAML 2 Attribute (urn:oid:1.3.6.1.4.1.5923.1.1.1.10) with 1 value(s)
2014-09-27 21:37:33 DEBUG Shibboleth.AttributeDecoder.NameID [2]: decoding saml2:NameID child element of AttributeValue
2014-09-27 21:37:33 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:1.3.6.1.4.1.5923.1.1.1.10
2014-09-27 21:37:33 DEBUG Shibboleth.AttributeDecoder.String [2]: decoding SimpleAttribute (eduPersonPrincipalName) from SAML 2 Attribute (urn:mace:dir:attribute-def:eduPersonPrincipalName) with 1 value(s)
2014-09-27 21:37:33 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:mace:dir:attribute-def:sn
2014-09-27 21:37:33 DEBUG Shibboleth.AttributeDecoder.String [2]: decoding SimpleAttribute (department) from SAML 2 Attribute (urn:mace:domain.edu:attribute-def:department) with 1 value(s)
2014-09-27 21:37:33 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:mace:dir:attribute-def:givenName
2014-09-27 21:37:33 DEBUG Shibboleth.AttributeFilter [2]: filtering 4 attribute(s) from (https://idp.domain.edu/idp/shibboleth)
2014-09-27 21:37:33 DEBUG Shibboleth.AttributeFilter [2]: applying filtering rule(s) for attribute (department) from (https://idp.domain.edu/idp/shibboleth)
2014-09-27 21:37:33 DEBUG Shibboleth.AttributeFilter [2]: applying filtering rule(s) for attribute (eduPersonPrincipalName) from (https://idp.domain.edu/idp/shibboleth)
2014-09-27 21:37:33 DEBUG Shibboleth.AttributeFilter [2]: applying filtering rule(s) for attribute (email) from (https://idp.domain.edu/idp/shibboleth)
2014-09-27 21:37:33 DEBUG Shibboleth.AttributeFilter [2]: applying filtering rule(s) for attribute (samaccountname) from (https://idp.domain.edu/idp/shibboleth)
2014-09-27 21:37:33 DEBUG Shibboleth.SSO.SAML2 [2]: resolving attributes...
2014-09-27 21:37:33 DEBUG Shibboleth.AttributeResolver.Query [2]: found AttributeStatement in input to new session, skipping query
2014-09-27 21:37:33 DEBUG Shibboleth.SessionCache [2]: creating new session
2014-09-27 21:37:33 DEBUG Shibboleth.SessionCache [2]: storing new session...
2014-09-27 21:37:33 DEBUG XMLTooling.StorageService [2]: inserted record (session) in context (_d2314557ed7f03bd6164a5a146018c33) with expiration (1411875453)
------------------ /var/log/httpd/native_warn.log - the first two lines are where the crash occurs. Everything else is retrying and failure.
------------------
2014-09-27 21:37:33 ERROR Shibboleth.Listener [20851] shib_check_user: error reading size of output message
2014-09-27 21:37:33 ERROR Shibboleth.Apache [20851] shib_check_user: Failure receiving response to remoted message (default/SAML2/POST).
2014-09-27 21:37:33 ERROR Shibboleth.Listener [20952] shib_check_user: socket call (connect) resulted in error (111): no message
2014-09-27 21:37:33 WARN Shibboleth.Listener [20952] shib_check_user: cannot connect socket (24)...retrying
2014-09-27 21:37:35 ERROR Shibboleth.Listener [20952] shib_check_user: socket call (connect) resulted in error (111): no message
2014-09-27 21:37:35 WARN Shibboleth.Listener [20952] shib_check_user: cannot connect socket (24)...retrying
2014-09-27 21:37:39 ERROR Shibboleth.Listener [20952] shib_check_user: socket call (connect) resulted in error (111): no message
2014-09-27 21:37:39 WARN Shibboleth.Listener [20952] shib_check_user: cannot connect socket (24)...
2014-09-27 21:37:39 CRIT Shibboleth.Listener [20952] shib_check_user: socket server unavailable, failing
2014-09-27 21:37:39 ERROR Shibboleth.Apache [20952] shib_check_user: Cannot connect to shibd process, a site adminstrator should be notified.