[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: format string exploit in OpenLDAP server (ITS#1813)



There was a bug here, but just to put your fears to rest:

1) the code has already been fixed as of December 26, 2001, the fix is in
the
current (2.1) code base.

2) the bug has no security exploit potential. My reasons for saying this:
  a) ACLs are configured in a static file, accessible only to the sysadmin.
     anyone who can insert malicious data here already has complete access
     to your machine.
  b) the print_acl() routine is only compiled if LDAP_DEBUG is defined, and
     is only executed if ACL debugging is requested at server startup.
  c) the routine is only executed during server startup. there is no way to
     exploit the bug once the server has passed its initialization. If there
     is an ill-formatted string present at startup time, the server will
     simply crash with no LDAP service being provided. This sort of failure
     would be immediately obvious... (and again, see (a) which makes this a
     moot point.)

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> davidreign@hotmail.com
> Sent: Friday, May 10, 2002 3:11 AM
> To: openldap-its@OpenLDAP.org
> Subject: format string exploit in OpenLDAP server (ITS#1813)
>
>
> my name is david reign and i work for a small security &
> investments company
> in australia. i have discovered a "format string" bug in the acl parsing
> portion of the slapd server.
>
> vendor status: have not contacted till now
>
> details:
>
> if ( a->acl_attrs != NULL ) {
> 		int	i, first = 1;
> 		to++;
>
> 		fprintf( stderr, " attrs=" );
> 		for ( i = 0; a->acl_attrs[i] != NULL; i++ ) {
> 			if ( ! first ) {
> 				fprintf( stderr, "," );
> 			}
> 	Just Here-->	fprintf( stderr, a->acl_attrs[i] );
> 			first = 0;
> 		}
> 		fprintf(  stderr, "\n" );
> 	}
>
> no need to tell you that format string bug in remote server equals remote
> root compromise.
>
> since it writes a->acl_attrs[i] which is one variable in the structure,
> fragmented exploitation is needed, with a little part of the string being
> written at a time. no working exploit code is known of.
>
> i also may have found numerous other format bugs like
> print_error(buf) but
> can't verify this yet.
>
> i will be drafting a formal advisory and since this is a HUGE
> issue because
> OpenLDAP has a wide user base the public needs to be notified.
>
> be in contact soon,
> - davidr
>
>
>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.