Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 323777 - <net-nds/openldap-2.4.23: null pointer dereference and one free based on uninitialized pointer (CVE-2010-{0211,0212})
Summary: <net-nds/openldap-2.4.23: null pointer dereference and one free based on unin...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.openldap.org/its/index.cgi...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-06-13 14:36 UTC by Matthias Geerdsen (RETIRED)
Modified: 2014-07-01 00:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-13 14:36:14 UTC
** Please note that this issue is confidential at the moment and no information
should be disclosed until it is made public **

CC'ing robbat2 for ldap herd

Following information comes from CERT-FI:

This information is embargoed until OpenLDAP 2.4.23 is released. Please
check the availability of the release before publishing any of this
information. The release is currently in testing and should be out in a
couple of days. OpenLDAP tracks this issue as ITS#6570 and CERT-FI as
FICORA #383115. The issues are fixed in OpenLDAP CVS in 2.4 branch and
in HEAD.
[...]
= The Report

Two OpenLDAP preauth, out of box and stock config exploitable
vulnerabilities. One null pointer dereference and one free based on
uninitialized pointer, potentially leading to total compromise.

= Description of bug #1 (CVE-FIXME)
	OpenLDAP crashes with segfault during the processing of a modrdn call
with maliciously formed destination rdn string. No authentication is
required to trigger this vulnerability.

= Description of bug #2 (CVE-FIXME)
	OpenLDAP crashes at a null pointer dereference during the processing of
modrdn call with maliciously formed destination rdn string. No
authentication is required to trigger this vulnerability.


= Analysis #1
	In the function modrdn.c:386:slap_modrdn2mods() a call is made to
448:*desc->ad_type->sat_equality->smr_normalize() without checking its
return value. In this case the call fails and leaves
mod_tmp->sml_nvalues uninitialized which leads to an invalid free()
later in modrdn.c:202:slap_mods_free(). The breakdown of smr_normalize()
is caused by invalid UTF-8 sequences, which are passed to the software
via hex-formatted strings. It could be possible to insert and execute
malicious code by careful manipulation of the program state prior to
triggering the vulnerability. At least with a vanilla compilation of
2.4.22 it proved possible to freely control the invalid pointer being
freed. For example, the following kind of log message is produced:
    * ** glibc detected *** /usr/sbin/slapd: double free or corruption
(out): 0x002ce400 ***

= Analysis #2
	As with bug #1, the crash occurs during a call to smr_normalize, but in
this case the call points to IA5StringNormalize which crashes with a
null pointer dereference at schema_init.c:2696.

[...]
= Tested versions
	OpenLDAP 2.4.22 (vanilla), 2.4.11-1+lenny1, 2.4.21-0ubuntu5

= Credits
	The vulnerability was found by Ilkka Mattila and Tuomas Salomäki with
Codenomicon LDAPv3 test suite at the Codenomicon Crash Test Party.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-13 14:47:47 UTC
The patches seem to be marked with the ITS# in CVS if someone wants to look at those.
I got to crash 2.4.19-r1 with both issues.
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-10 12:40:35 UTC
This is public as per $URL.
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-10 12:53:51 UTC
CVE-2010-0211 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0211):
  The slap_modrdn2mods function in modrdn.c in OpenLDAP 2.4.22 does not
  check the return value of a call to the smr_normalize function, which
  allows remote attackers to cause a denial of service (segmentation
  fault) and possibly execute arbitrary code via a modrdn call with an
  RDN string containing invalid UTF-8 sequences, which triggers a free
  of an invalid, uninitialized pointer in the slap_mods_free function,
  as demonstrated using the Codenomicon LDAPv3 test suite.

CVE-2010-0212 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0212):
  OpenLDAP 2.4.22 allows remote attackers to cause a denial of service
  (crash) via a modrdn call with a zero-length RDN destination string,
  which is not properly handled by the smr_normalize function and
  triggers a NULL pointer dereference in the IA5StringNormalize
  function in schema_init.c, as demonstrated using the Codenomicon
  LDAPv3 test suite.

Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-30 11:07:14 UTC
ldap-bugs: ping
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2010-08-31 06:52:10 UTC
2.4.23 in tree.
Comment 6 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-31 10:13:21 UTC
Arches, please test and mark stable:
=net-nds/openldap-2.4.23
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-09-01 03:13:50 UTC
x86 stable
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2010-09-03 13:19:12 UTC
amd64 done
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2010-09-04 16:55:24 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 10 Jeroen Roovers gentoo-dev 2010-09-06 10:09:00 UTC
Stable for HPPA.
Comment 11 Brent Baude (RETIRED) gentoo-dev 2010-09-06 20:22:59 UTC
ppc64 done
Comment 12 Joe Jezak (RETIRED) gentoo-dev 2010-09-12 04:34:32 UTC
Marked ppc stable.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 16:55:11 UTC
GLSA with 290345.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-07-01 00:22:02 UTC
This issue was resolved and addressed in
 GLSA 201406-36 at http://security.gentoo.org/glsa/glsa-201406-36.xml
by GLSA coordinator Yury German (BlueKnight).