[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5580) BER Decoding Remote DoS Vulnerability

To: openldap-its@OpenLDAP.org
Subject: (ITS#5580) BER Decoding Remote DoS Vulnerability
From: zdi-disclosures@tippingpoint.com
Date: Thu, 26 Jun 2008 20:28:07 GMT

Full_Name: Cameron Hotchkies
Version: 2.3.41
OS: Gentoo Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (66.179.208.36)


This vulnerability allows remote attackers to deny services on vulnerable
installations of OpenLDAP. Authentication is not required to exploit this
vulnerability.

The specific flaw exists in the decoding of ASN.1 BER network datagrams. When
the size of a BerElement is specified incorrectly, the application will trigger
an assert(), leading to abnormal program termination.
Tech Details: 	

The code exhibiting the problem is located in the function ber_get_next()
function in "libraries/liblber/io.c" .

The function fails to handle properly BER encoding of an element (tag + length +
content) that contains:

* exactly 4 bytes long "multi-byte tag"
* exactly 4 bytes long "multi-byte size"

The total size of the resulting encoding equals to the size of the BerElement
structure buffer plus one byte. This causes the function returns indicating that
more data are needed, but leaves the read-pointer pointing right at the end of
the buffer, which is not permitted.

Subsequent calls to the function result in an assertion failure:

assert( 0 ); /* ber structure is messed up ?*/

Example Exploitation:

  > slapd -h ldap:// -d511 &
  ...
  > xxd packet
  0000000: ffff ff00 8441 4243 44                   .....ABCD
  > nc localhost 389 < packet

Prev by Date: (ITS#5579) Interaction of ppolicy attributes
Next by Date: (ITS#5581) slapd: search.c:970: oc_filter: Assertion `f != ((void *)0)' failed.
Index(es):
- Chronological
- Thread