OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/5580
Full headers

From: zdi-disclosures@tippingpoint.com
Subject: BER Decoding Remote DoS Vulnerability
Compose comment
Download message
State:
0 replies:
3 followups: 1 2 3

Major security issue: yes  no

Notes:

Notification:


Date: Thu, 26 Jun 2008 20:28:06 GMT
From: zdi-disclosures@tippingpoint.com
To: openldap-its@OpenLDAP.org
Subject: BER Decoding Remote DoS Vulnerability
Full_Name: Cameron Hotchkies
Version: 2.3.41
OS: Gentoo Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (66.179.208.36)


This vulnerability allows remote attackers to deny services on vulnerable
installations of OpenLDAP. Authentication is not required to exploit this
vulnerability.

The specific flaw exists in the decoding of ASN.1 BER network datagrams. When
the size of a BerElement is specified incorrectly, the application will trigger
an assert(), leading to abnormal program termination.
Tech Details: 	

The code exhibiting the problem is located in the function ber_get_next()
function in "libraries/liblber/io.c" .

The function fails to handle properly BER encoding of an element (tag + length +
content) that contains:

* exactly 4 bytes long "multi-byte tag"
* exactly 4 bytes long "multi-byte size"

The total size of the resulting encoding equals to the size of the BerElement
structure buffer plus one byte. This causes the function returns indicating that
more data are needed, but leaves the read-pointer pointing right at the end of
the buffer, which is not permitted.

Subsequent calls to the function result in an assertion failure:

assert( 0 ); /* ber structure is messed up ?*/

Example Exploitation:

  > slapd -h ldap:// -d511 &
  ...
  > xxd packet
  0000000: ffff ff00 8441 4243 44                   .....ABCD
  > nc localhost 389 < packet


Followup 1

Download message
Date: Thu, 26 Jun 2008 17:37:06 -0700
From: Howard Chu <hyc@symas.com>
To: zdi-disclosures@tippingpoint.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#5580) BER Decoding Remote DoS Vulnerability
zdi-disclosures@tippingpoint.com wrote:
> Full_Name: Cameron Hotchkies
> Version: 2.3.41
> OS: Gentoo Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (66.179.208.36)
>
>
> This vulnerability allows remote attackers to deny services on vulnerable
> installations of OpenLDAP. Authentication is not required to exploit this
> vulnerability.

Thanks for the report, a fix is now in HEAD. Please test.

> The specific flaw exists in the decoding of ASN.1 BER network datagrams.
When
> the size of a BerElement is specified incorrectly, the application will
trigger
> an assert(), leading to abnormal program termination.
> Tech Details: 	
>
> The code exhibiting the problem is located in the function ber_get_next()
> function in "libraries/liblber/io.c" .
>
> The function fails to handle properly BER encoding of an element (tag +
length +
> content) that contains:
>
> * exactly 4 bytes long "multi-byte tag"
> * exactly 4 bytes long "multi-byte size"
>
> The total size of the resulting encoding equals to the size of the
BerElement
> structure buffer plus one byte. This causes the function returns indicating
that
> more data are needed, but leaves the read-pointer pointing right at the end
of
> the buffer, which is not permitted.
>
> Subsequent calls to the function result in an assertion failure:
>
> assert( 0 ); /* ber structure is messed up ?*/
>
> Example Exploitation:
>
>    >  slapd -h ldap:// -d511&
>    ...
>    >  xxd packet
>    0000000: ffff ff00 8441 4243 44                   .....ABCD
>    >  nc localhost 389<  packet
>
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 2

Download message
Date: Thu, 26 Jun 2008 17:38:34 -0700
From: Howard Chu <hyc@symas.com>
To: zdi-disclosures@tippingpoint.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#5580) BER Decoding Remote DoS Vulnerability
Howard Chu wrote:
> zdi-disclosures@tippingpoint.com wrote:
>> Full_Name: Cameron Hotchkies
>> Version: 2.3.41
>> OS: Gentoo Linux
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (66.179.208.36)
>>
>>
>> This vulnerability allows remote attackers to deny services on
vulnerable
>> installations of OpenLDAP. Authentication is not required to exploit
this
>> vulnerability.
>
> Thanks for the report, a fix is now in HEAD. Please test.

For future reference, it looks like this may have crept in in 2001, rev 
1.88/ITS#2465...

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 3

Download message
Date: Mon, 07 Jul 2008 13:07:30 -0700
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: hyc@symas.com, openldap-its@openldap.org
Subject: Re: (ITS#5580) BER Decoding Remote DoS Vulnerability
--On Friday, June 27, 2008 12:41 AM +0000 hyc@symas.com wrote:

> Howard Chu wrote:
>> zdi-disclosures@tippingpoint.com wrote:
>>> Full_Name: Cameron Hotchkies
>>> Version: 2.3.41
>>> OS: Gentoo Linux
>>> URL: ftp://ftp.openldap.org/incoming/
>>> Submission from: (NULL) (66.179.208.36)
>>>
>>>
>>> This vulnerability allows remote attackers to deny services on
>>> vulnerable installations of OpenLDAP. Authentication is not
required to
>>> exploit this vulnerability.
>>
>> Thanks for the report, a fix is now in HEAD. Please test.
>
> For future reference, it looks like this may have crept in in 2001, rev
> 1.88/ITS#2465...

2003, not 2001?

1.88 Thu Apr 24 00:10:18 2003 UTC; 5 years, 2 months ago by hyc
Changed since 1.87: +3 -3 lines
Diffs to 1.87 (colored diff)

ITS#2465 fix?  ber_get_next must read at least sizeof(tag)+sizeof(len)
which should be at most 8 bytes. However if we read more than the minimum
message length, we have a problem because we steal bytes from any following
message, and there is no buffer mechanism to push back excess data.
The shortest legitimate message is Unbind at 7 bytes, but there shouldn't
be anything following it. Abandon at 8 bytes is next, so always requesting
at least 8 bytes should be safe. Always requesting 9 was a problem.

Please double-check these assumptions...



--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org