[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8240) OpenLDAP ber_get_next denial of service vulnerability
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8240) OpenLDAP ber_get_next denial of service vulnerability
- From: hyc@symas.com
- Date: Wed, 09 Sep 2015 23:40:08 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
denis.andzakovic@security-assessment.com wrote:
> Full_Name: Denis Andzakovic
> Version: 2.4.42
> OS: Debian 8
> URL:
> Submission from: (NULL) (2402:6000:110:a01:743b:8319:1f96:bd89)
>
>
> OpenLDAP ber_get_next Denial of Service
> Affected Versions: OpenLDAP <= 2.4.42
>
> +-------------+
> | Description |
> +-------------+
> This document details a vulnerability found within the OpenLDAP server daemon. A
> Denial of Service vulnerability was discovered within the slapd daemon, allowing
> an unauthenticated attacker to crash the OpenLDAP server.
>
> By sending a crafted packet, an attacker may cause the OpenLDAP server to reach
> an assert(9 9 statement, crashing the daemon. This was tested on OpenLDAP 2.4.42
> (built with GCC 4.9.2) and OpenLDAP 2.4.40 installed from the Debian package
> repository.
Thanks for the report. Fixed now in git master.
> +--------------+
> | Exploitation |
> +--------------+
> By sending a crafted packet, an attacker can cause the OpenLDAP daemon to crash
> with a SIGABRT. This is due to an assert() call within the ber_get_next method
> (io.c line 682) that is hit when decoding tampered BER data.
>
> The following proof of concept exploit can be used to trigger the condition:
>
> --[ Exploit POC
> echo "/4SEhISEd4MKYj5ZMgAAAC8=" | base64 -d | nc -v 127.0.0.1 389
It's easier to just pipe this into liblber/dtest.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/