lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 12 Dec 2006 01:42:47 -0800
From: Solar Eclipse <>
Subject: OpenLDAP kbind authentication buffer overflow

There is a remotely exploitable buffer overflow in the Kerberos KBIND
authentication code in the OpenLDAP slapd server.

The vulnerability is in the krbv4_ldap_auth function in
servers/slapd/kerberos.c. This function processes LDAP bind requests that
specify the LDAP_AUTH_KRBV41 authentication method. The cred variable contains
a pointer to the Kerberos authentication data sent by the client. The length of
the data is not checked before it is copied into a fixed size buffer on the
stack. Sending a bind request with more than 1250 bytes of credential data will
result in a buffer overflow. The vulnerable code is given below:

krbv4_ldap_auth(Backend *be, struct berval *cred, AUTH_DAT *ad)
    KTEXT_ST        k;
    KTEXT           ktxt = &k;
    char            instance[INST_SZ];
    int             err;

    Debug( LDAP_DEBUG_TRACE, "=> kerberosv4_ldap_auth\n", 0, 0, 0 );

    AC_MEMCPY( ktxt->dat, cred->bv_val, cred->bv_len );

There should be a length check before the call to memcpy.

The vulnerable code is enabled only when OpenLDAP is compiled with the
--enable-kbind option, which has been disabled by default since version 2.0.2
and was removed from the configure script in the 2.1 release. The chance of
finding a real system that is still vulnerable is minimal, however the code is
still available in the latest 2.4.3 version of OpenLDAP and can be enabled
manually as described in

For more details and exploit code see

Solar Eclipse

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists