[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: format string exploit in OpenLDAP server (ITS#1813)
There was a bug here, but just to put your fears to rest:
1) the code has already been fixed as of December 26, 2001, the fix is in
the
current (2.1) code base.
2) the bug has no security exploit potential. My reasons for saying this:
a) ACLs are configured in a static file, accessible only to the sysadmin.
anyone who can insert malicious data here already has complete access
to your machine.
b) the print_acl() routine is only compiled if LDAP_DEBUG is defined, and
is only executed if ACL debugging is requested at server startup.
c) the routine is only executed during server startup. there is no way to
exploit the bug once the server has passed its initialization. If there
is an ill-formatted string present at startup time, the server will
simply crash with no LDAP service being provided. This sort of failure
would be immediately obvious... (and again, see (a) which makes this a
moot point.)
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> davidreign@hotmail.com
> Sent: Friday, May 10, 2002 3:11 AM
> To: openldap-its@OpenLDAP.org
> Subject: format string exploit in OpenLDAP server (ITS#1813)
>
>
> my name is david reign and i work for a small security &
> investments company
> in australia. i have discovered a "format string" bug in the acl parsing
> portion of the slapd server.
>
> vendor status: have not contacted till now
>
> details:
>
> if ( a->acl_attrs != NULL ) {
> int i, first = 1;
> to++;
>
> fprintf( stderr, " attrs=" );
> for ( i = 0; a->acl_attrs[i] != NULL; i++ ) {
> if ( ! first ) {
> fprintf( stderr, "," );
> }
> Just Here--> fprintf( stderr, a->acl_attrs[i] );
> first = 0;
> }
> fprintf( stderr, "\n" );
> }
>
> no need to tell you that format string bug in remote server equals remote
> root compromise.
>
> since it writes a->acl_attrs[i] which is one variable in the structure,
> fragmented exploitation is needed, with a little part of the string being
> written at a time. no working exploit code is known of.
>
> i also may have found numerous other format bugs like
> print_error(buf) but
> can't verify this yet.
>
> i will be drafting a formal advisory and since this is a HUGE
> issue because
> OpenLDAP has a wide user base the public needs to be notified.
>
> be in contact soon,
> - davidr
>
>
>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.