[Date Prev][Date Next] [Chronological] [Thread] [Top]

format string exploit in OpenLDAP server (ITS#1813)

my name is david reign and i work for a small security & investments company 
in australia. i have discovered a "format string" bug in the acl parsing 
portion of the slapd server.

vendor status: have not contacted till now


if ( a->acl_attrs != NULL ) {
		int	i, first = 1;

		fprintf( stderr, " attrs=" );
		for ( i = 0; a->acl_attrs[i] != NULL; i++ ) {
			if ( ! first ) {
				fprintf( stderr, "," );
	Just Here-->	fprintf( stderr, a->acl_attrs[i] );
			first = 0;
		fprintf(  stderr, "\n" );

no need to tell you that format string bug in remote server equals remote 
root compromise.

since it writes a->acl_attrs[i] which is one variable in the structure, 
fragmented exploitation is needed, with a little part of the string being 
written at a time. no working exploit code is known of.

i also may have found numerous other format bugs like print_error(buf) but 
can't verify this yet.

i will be drafting a formal advisory and since this is a HUGE issue because 
OpenLDAP has a wide user base the public needs to be notified.

be in contact soon,
- davidr

Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.