[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5580) BER Decoding Remote DoS Vulnerability

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5580) BER Decoding Remote DoS Vulnerability
From: quanah@zimbra.com
Date: Mon, 7 Jul 2008 20:07:38 GMT

--On Friday, June 27, 2008 12:41 AM +0000 hyc@symas.com wrote:

> Howard Chu wrote:
>> zdi-disclosures@tippingpoint.com wrote:
>>> Full_Name: Cameron Hotchkies
>>> Version: 2.3.41
>>> OS: Gentoo Linux
>>> URL: ftp://ftp.openldap.org/incoming/
>>> Submission from: (NULL) (66.179.208.36)
>>>
>>>
>>> This vulnerability allows remote attackers to deny services on
>>> vulnerable installations of OpenLDAP. Authentication is not required to
>>> exploit this vulnerability.
>>
>> Thanks for the report, a fix is now in HEAD. Please test.
>
> For future reference, it looks like this may have crept in in 2001, rev
> 1.88/ITS#2465...

2003, not 2001?

1.88 Thu Apr 24 00:10:18 2003 UTC; 5 years, 2 months ago by hyc
Changed since 1.87: +3 -3 lines
Diffs to 1.87 (colored diff)

ITS#2465 fix?  ber_get_next must read at least sizeof(tag)+sizeof(len)
which should be at most 8 bytes. However if we read more than the minimum
message length, we have a problem because we steal bytes from any following
message, and there is no buffer mechanism to push back excess data.
The shortest legitimate message is Unbind at 7 bytes, but there shouldn't
be anything following it. Abandon at 8 bytes is next, so always requesting
at least 8 bytes should be safe. Always requesting 9 was a problem.

Please double-check these assumptions...

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Prev by Date: Re: (ITS#5355) back-meta calls back-ldap directly
Next by Date: (ITS#5600) syncrepl modify fails if superior objectClass added
Index(es):
- Chronological
- Thread