[Date Prev][Date Next] [Chronological] [Thread] [Top]

security patch for libraries/liblutil/passwd.c (ITS#3020)

To: openldap-its@OpenLDAP.org
Subject: security patch for libraries/liblutil/passwd.c (ITS#3020)
From: movits@bloomberg.com
Date: Fri, 12 Mar 2004 02:07:35 GMT

Full_Name: Mordy Ovits
Version: CVS HEAD and earlier
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (141.149.42.30)


While reading the source for libraries/liblutil/passwd.c, I found a
security bug.  I'm skeptical that it's exploitable, because getting a null into
the presented credential seems hard.  But I don't know the source well enough to
be sure, but if it is, it repesents a critical remote hole.  slapd needs to be
compiled w/ SLAPD_CRYPT for it to be vulnerable, and the user the attacker is
authenticating as must have their userPassword stored using the {CRYPT} scheme. 
The bug is still in CVS.  Here's the patch against 2.2.6:
===========
--- passwd.c.orig       2004-03-08 18:33:37.000000000 -0500
+++ passwd.c    2004-03-08 18:34:54.000000000 -0500
@@ -1079,7 +1079,7 @@

        for( i=0; i<cred->bv_len; i++) {
                if(cred->bv_val[i] == '\0') {
-                       return 1;       /* NUL character in password */
+                       return -1;      /* NUL character in password */
                }
        }

============
Do you see how the logic was reversed?  It means to reject it if a NUL
was found, but instead, it OKs it.  If it is exploitable, you really
should put out a security advisory and update.

Thanks,
Mordy

Prev by Date: Re: caseIgnoreIA5OrderingMatch not supported (ITS#3018)
Next by Date: Re: Can not add aliases with schema checking on (ITS#3017)
Index(es):
- Chronological
- Thread