[Date Prev][Date Next] [Chronological] [Thread] [Top]

format string exploit in OpenLDAP server (ITS#1813)

To: openldap-its@OpenLDAP.org
Subject: format string exploit in OpenLDAP server (ITS#1813)
From: davidreign@hotmail.com
Date: Fri, 10 May 2002 10:11:23 GMT

my name is david reign and i work for a small security & investments company 
in australia. i have discovered a "format string" bug in the acl parsing 
portion of the slapd server.

vendor status: have not contacted till now

details:

if ( a->acl_attrs != NULL ) {
		int	i, first = 1;
		to++;

		fprintf( stderr, " attrs=" );
		for ( i = 0; a->acl_attrs[i] != NULL; i++ ) {
			if ( ! first ) {
				fprintf( stderr, "," );
			}
	Just Here-->	fprintf( stderr, a->acl_attrs[i] );
			first = 0;
		}
		fprintf(  stderr, "\n" );
	}

no need to tell you that format string bug in remote server equals remote 
root compromise.

since it writes a->acl_attrs[i] which is one variable in the structure, 
fragmented exploitation is needed, with a little part of the string being 
written at a time. no working exploit code is known of.

i also may have found numerous other format bugs like print_error(buf) but 
can't verify this yet.

i will be drafting a formal advisory and since this is a HUGE issue because 
OpenLDAP has a wide user base the public needs to be notified.

be in contact soon,
- davidr




_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

Prev by Date: New command line option + filtering of generated attrs (ITS#1811)
Next by Date: Patch to log failed simple binds (ITS#1809)
Index(es):
- Chronological
- Thread