[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4740) SASL bind assert



------=_Part_2868_7949219.1164737844232
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Entirely possible (conflicting libdb versions). However, this crash is 100%
reproduceable on my system using the Nessus test specifically for the bug at
issue here. Nessus script ID is 20939, entitled "OpenLDAP SASL Bind Denial
of Service Vulnerability".

I actually was going to try to reproduce the problem with a perl script but
it seemed more time than it was worth since I had a reliable failure case
with the NASL script.

I've searched to see if there appears to be a libdb conflict of some sort,
and can't find anything, but that may just mean I haven't looked hard
enough!

I spent some more time poring of the code last night, and nothing jumped out
at me. However, as a further data point, I played with the NASL script some
to send different data, and I can ONLY get the server to crash if I send
spaces. Specifically, the relevant (and hopefully self-documenting) line of
NASL script is as follows:

mkbyte(4) + mkbyte(0x82) + mkword(0x0400) + crap(data:"; ", length:1024);

If 'data:"; "' is changed to be 'data:"A";', for example, the server does not
crash, and the message in the debug output is what I expect (snipped for
brevity).

Last line of hex dump follows:
  0400:  41 41 41 41                                        AAAA
ber_scanf fmt (}}) ber:
ber_dump: buf=0x09ec9330 ptr=0x09ec974f end=0x09ec974f len=0

>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech CRAM-MD5
==> sasl_bind: dn="" mech=<continuing> datalen=1024
SASL [conn=3] Failure: need authentication name
send_ldap_result: conn=3 op=1 p=3
send_ldap_result: err=80 matched="" text="SASL(-5): bad protocol / cancel:
need authentication name"
send_ldap_response: msgid=509 tag=97 err=80
ber_flush: 72 bytes to sd 13

Does this help?

Brian

On 11/27/06, Howard Chu <hyc@symas.com> wrote:
>
> Kurt D. Zeilenga wrote:
> > At 08:06 PM 11/27/2006, hyc@symas.com wrote:
> >> Kurt@OpenLDAP.org wrote:
> >>> At 07:51 PM 11/27/2006, Kurt D. Zeilenga wrote:
> >>>> Spoke too soon.
> >>>> You code appears to be sending the same requests as
> >>>> Nessus, at least as described here:
> >>>>  http://www.nessus.org/plugins/index.php?view=viewsrc&id=23625
> >>>>
> >>>> Suspect a mismatch between what you and Brian are
> >>>> testing...
> >>> Howard, is the normalized authcDN in your testing correct?
> >> It has a single escaped space.
> >
> > And that's correct (I was wrong before).  A directory string of
> > N spaces normalizes to a single space, which must be escaped in
> > the DN.
> >
> > So it does seem like you and Brian are simply not running the
> > same code.
>
> The only difference between my current RE23 tree and 2.3.30 is in
> syncprov.c which is obviously not involved here. I would guess Brian's
> issue may be libsasl2 related, and no longer something resident in the
> OpenLDAP code. (E.g., conflicting libdb versions.)
>
> --
>    -- Howard Chu
>    Chief Architect, Symas Corp.  http://www.symas.com
>    Director, Highland Sun        http://highlandsun.com/hyc
>    OpenLDAP Core Team            http://www.openldap.org/project/
>

------=_Part_2868_7949219.1164737844232
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Entirely possible (conflicting libdb versions). However, this crash is 100% reproduceable on my system using the Nessus test specifically for the bug at issue here. Nessus script ID is 20939, entitled &quot;OpenLDAP SASL Bind Denial of Service Vulnerability&quot;.
<br><br>I actually was going to try to reproduce the problem with a perl script but it seemed more time than it was worth since I had a reliable failure case with the NASL script. <br><br>I've searched to see if there appears to be a libdb conflict of some sort, and can't find anything, but that may just mean I haven't looked hard enough!
<br><br>I spent some more time poring of the code last night, and nothing jumped out at me. However, as a further data point, I played with the NASL script some to send different data, and I can ONLY get the server to crash if I send spaces. Specifically, the relevant (and hopefully self-documenting) line of NASL script is as follows:
<br><br>mkbyte(4) + mkbyte(0x82) + mkword(0x0400) + crap(data:&quot; &quot;, length:1024);<br><br>If 'data:&quot; &quot;' is changed to be 'data:&quot;A&quot;', for example, the server does not crash, and the message in the debug output is what I expect (snipped for brevity).
<br><br>Last line of hex dump follows:<br>&nbsp; 0400:&nbsp; 41 41 41 41&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AAAA<br>ber_scanf fmt (}}) ber:<br>ber_dump: buf=0x09ec9330 ptr=0x09ec974f end=0x09ec974f len=0<br><br>&gt;&gt;&gt; dnPrettyNormal: &lt;&gt;
<br>&lt;&lt;&lt; dnPrettyNormal: &lt;&gt;, &lt;&gt;<br>do_sasl_bind: dn () mech CRAM-MD5<br>==&gt; sasl_bind: dn=&quot;&quot; mech=&lt;continuing&gt; datalen=1024<br>SASL [conn=3] Failure: need authentication name<br>send_ldap_result: conn=3 op=1 p=3
<br>send_ldap_result: err=80 matched=&quot;&quot; text=&quot;SASL(-5): bad protocol / cancel: need authentication name&quot;<br>send_ldap_response: msgid=509 tag=97 err=80<br>ber_flush: 72 bytes to sd 13<br><br>Does this help?
<br><br>Brian<br><br><div><span class="gmail_quote">On 11/27/06, <b class="gmail_sendername">Howard Chu</b> &lt;<a href="mailto:hyc@symas.com";>hyc@symas.com</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Kurt D. Zeilenga wrote:<br>&gt; At 08:06 PM 11/27/2006, <a href="mailto:hyc@symas.com";>hyc@symas.com</a> wrote:<br>&gt;&gt; <a href="mailto:Kurt@OpenLDAP.org";>Kurt@OpenLDAP.org</a> wrote:<br>&gt;&gt;&gt; At 07:51 PM 11/27/2006, Kurt D. Zeilenga wrote:
<br>&gt;&gt;&gt;&gt; Spoke too soon.<br>&gt;&gt;&gt;&gt; You code appears to be sending the same requests as<br>&gt;&gt;&gt;&gt; Nessus, at least as described here:<br>&gt;&gt;&gt;&gt;&nbsp;&nbsp;<a href="http://www.nessus.org/plugins/index.php?view=viewsrc&amp;id=23625";>
http://www.nessus.org/plugins/index.php?view=viewsrc&amp;id=23625</a><br>&gt;&gt;&gt;&gt;<br>&gt;&gt;&gt;&gt; Suspect a mismatch between what you and Brian are<br>&gt;&gt;&gt;&gt; testing...<br>&gt;&gt;&gt; Howard, is the normalized authcDN in your testing correct?
<br>&gt;&gt; It has a single escaped space.<br>&gt;<br>&gt; And that's correct (I was wrong before).&nbsp;&nbsp;A directory string of<br>&gt; N spaces normalizes to a single space, which must be escaped in<br>&gt; the DN.<br>&gt;<br>
&gt; So it does seem like you and Brian are simply not running the<br>&gt; same code.<br><br>The only difference between my current RE23 tree and 2.3.30 is in<br>syncprov.c which is obviously not involved here. I would guess Brian's
<br>issue may be libsasl2 related, and no longer something resident in the<br>OpenLDAP code. (E.g., conflicting libdb versions.)<br><br>--<br>&nbsp;&nbsp; -- Howard Chu<br>&nbsp;&nbsp; Chief Architect, Symas Corp.&nbsp;&nbsp;<a href="http://www.symas.com";>
http://www.symas.com</a><br>&nbsp;&nbsp; Director, Highland Sun&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="http://highlandsun.com/hyc";>http://highlandsun.com/hyc</a><br>&nbsp;&nbsp; OpenLDAP Core Team&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="http://www.openldap.org/project/";>http://www.openldap.org/project/
</a><br></blockquote></div><br>

------=_Part_2868_7949219.1164737844232--