[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#4740) SASL bind assert
------=_Part_2868_7949219.1164737844232
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Entirely possible (conflicting libdb versions). However, this crash is 100%
reproduceable on my system using the Nessus test specifically for the bug at
issue here. Nessus script ID is 20939, entitled "OpenLDAP SASL Bind Denial
of Service Vulnerability".
I actually was going to try to reproduce the problem with a perl script but
it seemed more time than it was worth since I had a reliable failure case
with the NASL script.
I've searched to see if there appears to be a libdb conflict of some sort,
and can't find anything, but that may just mean I haven't looked hard
enough!
I spent some more time poring of the code last night, and nothing jumped out
at me. However, as a further data point, I played with the NASL script some
to send different data, and I can ONLY get the server to crash if I send
spaces. Specifically, the relevant (and hopefully self-documenting) line of
NASL script is as follows:
mkbyte(4) + mkbyte(0x82) + mkword(0x0400) + crap(data:" ", length:1024);
If 'data:" "' is changed to be 'data:"A"', for example, the server does not
crash, and the message in the debug output is what I expect (snipped for
brevity).
Last line of hex dump follows:
0400: 41 41 41 41 AAAA
ber_scanf fmt (}}) ber:
ber_dump: buf=0x09ec9330 ptr=0x09ec974f end=0x09ec974f len=0
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech CRAM-MD5
==> sasl_bind: dn="" mech=<continuing> datalen=1024
SASL [conn=3] Failure: need authentication name
send_ldap_result: conn=3 op=1 p=3
send_ldap_result: err=80 matched="" text="SASL(-5): bad protocol / cancel:
need authentication name"
send_ldap_response: msgid=509 tag=97 err=80
ber_flush: 72 bytes to sd 13
Does this help?
Brian
On 11/27/06, Howard Chu <hyc@symas.com> wrote:
>
> Kurt D. Zeilenga wrote:
> > At 08:06 PM 11/27/2006, hyc@symas.com wrote:
> >> Kurt@OpenLDAP.org wrote:
> >>> At 07:51 PM 11/27/2006, Kurt D. Zeilenga wrote:
> >>>> Spoke too soon.
> >>>> You code appears to be sending the same requests as
> >>>> Nessus, at least as described here:
> >>>> http://www.nessus.org/plugins/index.php?view=viewsrc&id=23625
> >>>>
> >>>> Suspect a mismatch between what you and Brian are
> >>>> testing...
> >>> Howard, is the normalized authcDN in your testing correct?
> >> It has a single escaped space.
> >
> > And that's correct (I was wrong before). A directory string of
> > N spaces normalizes to a single space, which must be escaped in
> > the DN.
> >
> > So it does seem like you and Brian are simply not running the
> > same code.
>
> The only difference between my current RE23 tree and 2.3.30 is in
> syncprov.c which is obviously not involved here. I would guess Brian's
> issue may be libsasl2 related, and no longer something resident in the
> OpenLDAP code. (E.g., conflicting libdb versions.)
>
> --
> -- Howard Chu
> Chief Architect, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc
> OpenLDAP Core Team http://www.openldap.org/project/
>
------=_Part_2868_7949219.1164737844232
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Entirely possible (conflicting libdb versions). However, this crash is 100% reproduceable on my system using the Nessus test specifically for the bug at issue here. Nessus script ID is 20939, entitled "OpenLDAP SASL Bind Denial of Service Vulnerability".
<br><br>I actually was going to try to reproduce the problem with a perl script but it seemed more time than it was worth since I had a reliable failure case with the NASL script. <br><br>I've searched to see if there appears to be a libdb conflict of some sort, and can't find anything, but that may just mean I haven't looked hard enough!
<br><br>I spent some more time poring of the code last night, and nothing jumped out at me. However, as a further data point, I played with the NASL script some to send different data, and I can ONLY get the server to crash if I send spaces. Specifically, the relevant (and hopefully self-documenting) line of NASL script is as follows:
<br><br>mkbyte(4) + mkbyte(0x82) + mkword(0x0400) + crap(data:" ", length:1024);<br><br>If 'data:" "' is changed to be 'data:"A"', for example, the server does not crash, and the message in the debug output is what I expect (snipped for brevity).
<br><br>Last line of hex dump follows:<br> 0400: 41 41 41 41 AAAA<br>ber_scanf fmt (}}) ber:<br>ber_dump: buf=0x09ec9330 ptr=0x09ec974f end=0x09ec974f len=0<br><br>>>> dnPrettyNormal: <>
<br><<< dnPrettyNormal: <>, <><br>do_sasl_bind: dn () mech CRAM-MD5<br>==> sasl_bind: dn="" mech=<continuing> datalen=1024<br>SASL [conn=3] Failure: need authentication name<br>send_ldap_result: conn=3 op=1 p=3
<br>send_ldap_result: err=80 matched="" text="SASL(-5): bad protocol / cancel: need authentication name"<br>send_ldap_response: msgid=509 tag=97 err=80<br>ber_flush: 72 bytes to sd 13<br><br>Does this help?
<br><br>Brian<br><br><div><span class="gmail_quote">On 11/27/06, <b class="gmail_sendername">Howard Chu</b> <<a href="mailto:hyc@symas.com">hyc@symas.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Kurt D. Zeilenga wrote:<br>> At 08:06 PM 11/27/2006, <a href="mailto:hyc@symas.com">hyc@symas.com</a> wrote:<br>>> <a href="mailto:Kurt@OpenLDAP.org">Kurt@OpenLDAP.org</a> wrote:<br>>>> At 07:51 PM 11/27/2006, Kurt D. Zeilenga wrote:
<br>>>>> Spoke too soon.<br>>>>> You code appears to be sending the same requests as<br>>>>> Nessus, at least as described here:<br>>>>> <a href="http://www.nessus.org/plugins/index.php?view=viewsrc&id=23625">
http://www.nessus.org/plugins/index.php?view=viewsrc&id=23625</a><br>>>>><br>>>>> Suspect a mismatch between what you and Brian are<br>>>>> testing...<br>>>> Howard, is the normalized authcDN in your testing correct?
<br>>> It has a single escaped space.<br>><br>> And that's correct (I was wrong before). A directory string of<br>> N spaces normalizes to a single space, which must be escaped in<br>> the DN.<br>><br>
> So it does seem like you and Brian are simply not running the<br>> same code.<br><br>The only difference between my current RE23 tree and 2.3.30 is in<br>syncprov.c which is obviously not involved here. I would guess Brian's
<br>issue may be libsasl2 related, and no longer something resident in the<br>OpenLDAP code. (E.g., conflicting libdb versions.)<br><br>--<br> -- Howard Chu<br> Chief Architect, Symas Corp. <a href="http://www.symas.com">
http://www.symas.com</a><br> Director, Highland Sun <a href="http://highlandsun.com/hyc">http://highlandsun.com/hyc</a><br> OpenLDAP Core Team <a href="http://www.openldap.org/project/">http://www.openldap.org/project/
</a><br></blockquote></div><br>
------=_Part_2868_7949219.1164737844232--