OpenLDAP kbind authentication buffer overflow

2006-12-13 / 2006-12-14
Credit: Solar Eclipse
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

There is a remotely exploitable buffer overflow in the Kerberos KBIND authentication code in the OpenLDAP slapd server. The vulnerability is in the krbv4_ldap_auth function in servers/slapd/kerberos.c. This function processes LDAP bind requests that specify the LDAP_AUTH_KRBV41 authentication method. The cred variable contains a pointer to the Kerberos authentication data sent by the client. The length of the data is not checked before it is copied into a fixed size buffer on the stack. Sending a bind request with more than 1250 bytes of credential data will result in a buffer overflow. The vulnerable code is given below: krbv4_ldap_auth(Backend *be, struct berval *cred, AUTH_DAT *ad) { KTEXT_ST k; KTEXT ktxt = &k; char instance[INST_SZ]; int err; Debug( LDAP_DEBUG_TRACE, "=> kerberosv4_ldap_auth\n", 0, 0, 0 ); AC_MEMCPY( ktxt->dat, cred->bv_val, cred->bv_len ); There should be a length check before the call to memcpy. The vulnerable code is enabled only when OpenLDAP is compiled with the --enable-kbind option, which has been disabled by default since version 2.0.2 and was removed from the configure script in the 2.1 release. The chance of finding a real system that is still vulnerable is minimal, however the code is still available in the latest 2.4.3 version of OpenLDAP and can be enabled manually as described in http://www.openldap.org/lists/openldap-software/200206/msg00371.html For more details and exploit code see http://www.phreedom.org/solar/exploits/openldap-kbind/ Solar Eclipse


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top