Full_Name: Daniel Stenberg Version: any OS: Linux URL: Submission from: (NULL) (178.174.211.173) The function ldap_get_attribute_ber() is called to get attributes, but it turns out that it can return LDAP_SUCCESS and still return a NULL pointer in the result pointer when getting a particularly crafted response. This was a surprise to us and to curl, as this caused us a security vulnerability. See https://curl.haxx.se/docs/adv_2018-97a2.html 1. There's no man page nor online resource to read the docs for this function so its really hard to figure out this fact. 2. This behavior is surprising, and this flaw was even written by someone very familiar with OpenLDAP, indicating it is unintended or at least not the normal path. 3. Due to the above two points, I believe there's a risk curl is not the only application in the world that had this bad assumption and thus this might be a lurking security issue in more projects. / Daniel
daniel@haxx.se wrote: > Full_Name: Daniel Stenberg > Version: any > OS: Linux > URL: > Submission from: (NULL) (178.174.211.173) > > > The function ldap_get_attribute_ber() is called to get attributes, but it turns > out that it can return LDAP_SUCCESS and still return a NULL pointer in the > result pointer when getting a particularly crafted response. > > This was a surprise to us and to curl, as this caused us a security > vulnerability. See https://curl.haxx.se/docs/adv_2018-97a2.html > > 1. There's no man page nor online resource to read the docs for this function so > its really hard to figure out this fact. > > 2. This behavior is surprising, and this flaw was even written by someone very > familiar with OpenLDAP, indicating it is unintended or at least not the normal > path. It's actually normal; if you issue a search and specify attrsonly, the results will only contain attribute names and no values. (e.g. using ldapsearch -A) As such, returning LDAP_SUCCESS with a NULL value is correct. Unfortunate oversight on my part when writing that curl patch. Looking at the mitigation you've applied, I'm not sure it's correct. In particular, you're terminating the loop when you receive a NULL value, but there may actually be multiple attributes present (with no values on any of them) and you ought to continue iterating through them all. > 3. Due to the above two points, I believe there's a risk curl is not the only > application in the world that had this bad assumption and thus this might be a > lurking security issue in more projects. > > / Daniel > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On Sun, 18 Mar 2018, Howard Chu wrote: > Looking at the mitigation you've applied, I'm not sure it's correct. In > particular, you're terminating the loop when you receive a NULL value, but > there may actually be multiple attributes present (with no values on any of > them) and you ought to continue iterating through them all. ... which is why my issue here is about the lack of documentation for the function! I tried to read up on how its supposed to work but I couldn't find any docs anywhere. -- / daniel.haxx.se
Commits: • 363f1056 by Ondřej Kuzník at 2021-05-14T08:18:05+01:00 ITS#8820 Document ldap_get_attribute_ber()