OpenLDAP kbind authentication buffer overflow

Advisory Content :

There is a remotely exploitable buffer overflow in the Kerberos KBIND
authentication code in the OpenLDAP slapd server.

The vulnerability is in the krbv4_ldap_auth function in
servers/slapd/kerberos.c. This function processes LDAP bind requests that
specify the LDAP_AUTH_KRBV41 authentication method. The cred variable
contains
a pointer to the Kerberos authentication data sent by the client. The
length of
the data is not checked before it is copied into a fixed size buffer on
the
stack. Sending a bind request with more than 1250 bytes of credential data
will
result in a buffer overflow. The vulnerable code is given below:

krbv4_ldap_auth(Backend *be, struct berval *cred, AUTH_DAT *ad)
{
KTEXT_ST k;
KTEXT ktxt = &k;
char instance[INST_SZ];
int err;

Debug( LDAP_DEBUG_TRACE, "=> kerberosv4_ldap_authn", 0, 0, 0 );

AC_MEMCPY( ktxt->dat, cred->bv_val, cred->bv_len );

There should be a length check before the call to memcpy.

The vulnerable code is enabled only when OpenLDAP is compiled with the
--enable-kbind option, which has been disabled by default since version
2.0.2
and was removed from the configure script in the 2.1 release. The chance
of
finding a real system that is still vulnerable is minimal, however the code
is
still available in the latest 2.4.3 version of OpenLDAP and can be enabled
manually as described in
http://www.openldap.org/lists/openldap-software/200206/msg00371.html

For more details and exploit code see
http://www.phreedom.org/solar/exploits/openldap-kbind/

Solar Eclipse

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

OpenLDAP kbind authentication buffer overflow