ldap vulnerabilities

From: blackshell@hushmail.com
Date: 05/06/02


From: blackshell@hushmail.com
To: bugtraq@securityfocus.com, vuln-dev@securityfocus.com, vulnwatch@vulnwatch.org
Date: Mon,  6 May 2002 03:29:42 -0700


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --- Blackshell Advisory # 5 ---

Local Format String Vuln in pam_ldap and remote in squid_auth_ldap

- --- Blackshell Advisory # 5 ---

- --- Versions Affected ---

pam_ldap:

143 prior
vendor status: nil

squid_auth_ldap:

2.0 prior
vendor status: nil

- --- What is PAM? ---

PAM stands for pluggable authentication module
it lets you authenticate from one service to another

- --- What is Squid Auth Modules? ---

Squid authentication modules aloow you to connect to
external services through the squid caching server.
adds ldap:// functionability to the squid server

- --- Details ---

- --- in pam_ldap ---

fp = fopen (configFile, "r");

  if (fp == NULL)
    {
      /*
       * According to PAM Documentation, such an error in a config file
       * SHOULD be logged at LOG_ALERT level
       */
      snprintf (errmsg, sizeof (errmsg), "pam_ldap: missing file \"%s\"",
                configFile);
      syslog (LOG_ALERT, errmsg);
      return PAM_SERVICE_ERR;
    }

configfile is defined as:

      else if (!strncmp (argv[i], "config=", 7))
        configFile = argv[i] + 7;

in the main function.

- --- in squid_auth_ldap ---

void logging( int ll, const char* fmt, ... )
{
  char buffer[1024];
  va_list ap;
  va_start( ap, fmt );

  vsnprintf( buffer, 1024, fmt, ap );

  if( ll == DEBUG && _logLevel >= DEBUG )
        {
          syslog( LOG_INFO, buffer );
/*#ifdef DEBUG
                printf("DEBUG\n");
#endif*/
        }
        else
        if( ll == WARN && _logLevel >= WARN )
        {
          syslog( LOG_INFO, buffer );
/*#ifdef DEBUG
          printf("WARN\n");
#endif*/
        }
        else
        if( ll == INFO && _logLevel >= INFO )
        {
          syslog( LOG_INFO, buffer );
/*#ifdef DEBUG
          printf("INFO\n");
#endif*/
        }
        else
        if( ll == RUN && _logLevel >= RUN )
        {
          syslog( LOG_INFO, buffer );
/*#ifdef DEBUG
           printf("RUN\n");
#endif*/
        }
}

vulnerable calls to the function logging() would include:

ldap_utils.c: logging( INFO, "- password check for %s", dn );
ldap_utils.c: logging( DEBUG, "- (%d) %s", i, val[i] );
ldap_utils.c: logging( DEBUG, "- open connection to ldapserver: %s:%d", ldapServer, ldapPort);
ldap_utils.c: logging( WARN, "- cannot login to: %s:%d", ldapServer, ldapPort);
ldap_utils.c: logging( DEBUG, "- search for: %s", searchStr );
ldap_utils.c: logging( DEBUG, "- entry found: %s", grpDN );
ldap_utils.c: logging( DEBUG, "- searchstr: %s", searchStr );
ldap_utils.c: logging( DEBUG, "- start searching for uid: %s", uid );
ldap_utils.c: logging( WARN, "- user \"%s\", not found!\n", uid);
ldap_utils.c: logging( DEBUG, "- DN found: %s", udn );
ldap_utils.c: logging( DEBUG, "- is user %s in %s\n", dn, gdn );
ldap_utils.c: logging( DEBUG, "- user \"%s\" is in Group \"%s\"", dn, gdn );
ldap_utils.c: logging( DEBUG, "- user \"%s\" is NOT in Group \"%s\"", dn, gdn );
main.c: logging( RUN, "%s - %s - starting", PROG, VERS );
main.c: logging( RUN, "- find DN for group %s\n", conf.pxyGroup );
main.c: logging( WARN, "- unable to find group: %s", conf.pxyGroup );
main.c: logging( DEBUG, "- group DN: %s", dnGrp );
main.c: logging( RUN, "%s - %s - ready", PROG, VERS );
main.c: logging( RUN, "- unable to connect to LDAP server: %s:%d", conf.ldapServer, conf.ldapPort);
main.c: logging( DEBUG, "- connected to ldapServer %s:%d", conf.ldapServer, conf.ldapPort);
main.c: logging( RUN, "- unable to connect to LDAP server: %s:%d", conf.ldapServer, conf.ldapPort);
main.c: logging( DEBUG, "- connected to ldapServer %s:%d", conf.ldapServer, conf.ldapPort);
main.c: logging( RUN, "%s - %s - stopping", PROG, VERS );
main.c: logging( DEBUG, "- user string: |%s|", buf);
main.c: logging( DEBUG, "- got User: %s", user );
main.c: logging( DEBUG, "- got Password: %s", crypt (pass, "42") );
options.c: logging(DEBUG,"- ldapServer: %s ", conf->ldapServer );
options.c: logging(DEBUG,"- searchBase: %s ", conf->searchBase );
options.c: logging(DEBUG,"- pxyGroup: %s ", conf->pxyGroup );
options.c: logging(DEBUG,"- confFile: %s ", conf->confFile );

- --- hellos ---

contributors to blackshell

Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wl8EARECAB8FAjzWXpMYHGJsYWNrc2hlbGxAaHVzaG1haWwuY29tAAoJED2VGGGCU8ut
VJ8An1vCesmFEIEbBJ+O5Yt1cxahmjUAAJ9bBOYREsMHke8IBmutnguhbHU3XA==
=v4NU
-----END PGP SIGNATURE-----



Relevant Pages

  • ldap vulnerabilities
    ... vendor status: nil ... /*#ifdef DEBUG ... Hush provide the worlds most secure, easy to use online applications - which solution is right for you? ...
    (Vuln-Dev)
  • DoS in Shells: was Re: DoS in debian (potato) proftpd: 1.2.0pre10-2.0potato1
    ... Hush provide the worlds most secure, easy to use online applications - which solution is right for you? ... Hush Business - security for your Business http://www.hush.com/ ... Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ ...
    (Vuln-Dev)
  • Re: Re: WIN 2K to *NIX Scanner
    ... Eeye.com has a win32 port of Nmap. ... Hush provide the worlds most secure, easy to use online applications - which solution is right for you? ... Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ ...
    (Security-Basics)
  • Re: Re: New Binary Bruteforcing Method Discovered
    ... >> Hush provide the worlds most secure, easy to use online applications - ... >> Hush Enterprise - Secure Solutions for your Enterprise ...
    (Vuln-Dev)
  • RE: Password Management
    ... key to encrypt the password sync session. ... HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ ... Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ ...
    (Security-Basics)