[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5580) BER Decoding Remote DoS Vulnerability
zdi-disclosures@tippingpoint.com wrote:
> Full_Name: Cameron Hotchkies
> Version: 2.3.41
> OS: Gentoo Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (66.179.208.36)
>
>
> This vulnerability allows remote attackers to deny services on vulnerable
> installations of OpenLDAP. Authentication is not required to exploit this
> vulnerability.
Thanks for the report, a fix is now in HEAD. Please test.
> The specific flaw exists in the decoding of ASN.1 BER network datagrams. When
> the size of a BerElement is specified incorrectly, the application will trigger
> an assert(), leading to abnormal program termination.
> Tech Details:
>
> The code exhibiting the problem is located in the function ber_get_next()
> function in "libraries/liblber/io.c" .
>
> The function fails to handle properly BER encoding of an element (tag + length +
> content) that contains:
>
> * exactly 4 bytes long "multi-byte tag"
> * exactly 4 bytes long "multi-byte size"
>
> The total size of the resulting encoding equals to the size of the BerElement
> structure buffer plus one byte. This causes the function returns indicating that
> more data are needed, but leaves the read-pointer pointing right at the end of
> the buffer, which is not permitted.
>
> Subsequent calls to the function result in an assertion failure:
>
> assert( 0 ); /* ber structure is messed up ?*/
>
> Example Exploitation:
>
> > slapd -h ldap:// -d511&
> ...
> > xxd packet
> 0000000: ffff ff00 8441 4243 44 .....ABCD
> > nc localhost 389< packet
>
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/