** Please note that this issue is confidential at the moment and no information
should be disclosed until it is made public **
CC'ing robbat2 for ldap herd
Following information comes from CERT-FI:
This information is embargoed until OpenLDAP 2.4.23 is released. Please
check the availability of the release before publishing any of this
information. The release is currently in testing and should be out in a
couple of days. OpenLDAP tracks this issue as ITS#6570 and CERT-FI as
FICORA #383115. The issues are fixed in OpenLDAP CVS in 2.4 branch and
= The Report
Two OpenLDAP preauth, out of box and stock config exploitable
vulnerabilities. One null pointer dereference and one free based on
uninitialized pointer, potentially leading to total compromise.
= Description of bug #1 (CVE-FIXME)
OpenLDAP crashes with segfault during the processing of a modrdn call
with maliciously formed destination rdn string. No authentication is
required to trigger this vulnerability.
= Description of bug #2 (CVE-FIXME)
OpenLDAP crashes at a null pointer dereference during the processing of
modrdn call with maliciously formed destination rdn string. No
authentication is required to trigger this vulnerability.
= Analysis #1
In the function modrdn.c:386:slap_modrdn2mods() a call is made to
448:*desc->ad_type->sat_equality->smr_normalize() without checking its
return value. In this case the call fails and leaves
mod_tmp->sml_nvalues uninitialized which leads to an invalid free()
later in modrdn.c:202:slap_mods_free(). The breakdown of smr_normalize()
is caused by invalid UTF-8 sequences, which are passed to the software
via hex-formatted strings. It could be possible to insert and execute
malicious code by careful manipulation of the program state prior to
triggering the vulnerability. At least with a vanilla compilation of
2.4.22 it proved possible to freely control the invalid pointer being
freed. For example, the following kind of log message is produced:
* ** glibc detected *** /usr/sbin/slapd: double free or corruption
(out): 0x002ce400 ***
= Analysis #2
As with bug #1, the crash occurs during a call to smr_normalize, but in
this case the call points to IA5StringNormalize which crashes with a
null pointer dereference at schema_init.c:2696.
= Tested versions
OpenLDAP 2.4.22 (vanilla), 2.4.11-1+lenny1, 2.4.21-0ubuntu5
The vulnerability was found by Ilkka Mattila and Tuomas Salomäki with
Codenomicon LDAPv3 test suite at the Codenomicon Crash Test Party.
The patches seem to be marked with the ITS# in CVS if someone wants to look at those.
I got to crash 2.4.19-r1 with both issues.
This is public as per $URL.
The slap_modrdn2mods function in modrdn.c in OpenLDAP 2.4.22 does not
check the return value of a call to the smr_normalize function, which
allows remote attackers to cause a denial of service (segmentation
fault) and possibly execute arbitrary code via a modrdn call with an
RDN string containing invalid UTF-8 sequences, which triggers a free
of an invalid, uninitialized pointer in the slap_mods_free function,
as demonstrated using the Codenomicon LDAPv3 test suite.
OpenLDAP 2.4.22 allows remote attackers to cause a denial of service
(crash) via a modrdn call with a zero-length RDN destination string,
which is not properly handled by the smr_normalize function and
triggers a NULL pointer dereference in the IA5StringNormalize
function in schema_init.c, as demonstrated using the Codenomicon
LDAPv3 test suite.
2.4.23 in tree.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
Marked ppc stable.
GLSA with 290345.
This issue was resolved and addressed in
GLSA 201406-36 at http://security.gentoo.org/glsa/glsa-201406-36.xml
by GLSA coordinator Yury German (BlueKnight).