lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 12 Dec 2006 01:42:47 -0800
From: Solar Eclipse <solareclipse@...eedom.org>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: OpenLDAP kbind authentication buffer overflow

There is a remotely exploitable buffer overflow in the Kerberos KBIND
authentication code in the OpenLDAP slapd server.

The vulnerability is in the krbv4_ldap_auth function in
servers/slapd/kerberos.c. This function processes LDAP bind requests that
specify the LDAP_AUTH_KRBV41 authentication method. The cred variable contains
a pointer to the Kerberos authentication data sent by the client. The length of
the data is not checked before it is copied into a fixed size buffer on the
stack. Sending a bind request with more than 1250 bytes of credential data will
result in a buffer overflow. The vulnerable code is given below:

krbv4_ldap_auth(Backend *be, struct berval *cred, AUTH_DAT *ad)
{
    KTEXT_ST        k;
    KTEXT           ktxt = &k;
    char            instance[INST_SZ];
    int             err;

    Debug( LDAP_DEBUG_TRACE, "=> kerberosv4_ldap_auth\n", 0, 0, 0 );

    AC_MEMCPY( ktxt->dat, cred->bv_val, cred->bv_len );

There should be a length check before the call to memcpy.

The vulnerable code is enabled only when OpenLDAP is compiled with the
--enable-kbind option, which has been disabled by default since version 2.0.2
and was removed from the configure script in the 2.1 release. The chance of
finding a real system that is still vulnerable is minimal, however the code is
still available in the latest 2.4.3 version of OpenLDAP and can be enabled
manually as described in http://www.openldap.org/lists/openldap-software/200206/msg00371.html

For more details and exploit code see
http://www.phreedom.org/solar/exploits/openldap-kbind/


Solar Eclipse

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists