Bug 1024552 - (CVE-2013-4485) CVE-2013-4485 389-ds-base: DoS due to improper handling of ger attr searches
CVE-2013-4485 389-ds-base: DoS due to improper handling of ger attr searches
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20131121,repo...
: Security
Depends On: 1024977 1024978 1024979 1024980 1032898 1032899
Blocks: 1024971
  Show dependency treegraph
 
Reported: 2013-10-29 18:36 EDT by Vincent Danen
Modified: 2015-10-15 14:03 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
0001-server-crash-with-bogus-GER-attribute-list.patch (3.75 KB, patch)
2013-10-29 19:18 EDT, Rich Megginson
rmeggins: review+
Details | Diff

  None (edit)
Description Vincent Danen 2013-10-29 18:36:08 EDT
A flaw in how 389-ds-base and Red Hat Directory Server handled the checking of access rights on entries using GER (Get Effective Rights), a way to extend directory searches to also display what access rights a user has to a specified entry.  When an attribute list is given in the search request, and if there are several attributes whose names contain the '@' character, 389-ds-base and Red Hat Directory Server would crash.  An attacker able to contact the server would be able to submit this type of search request with no authentication required.
Comment 1 Rich Megginson 2013-10-29 19:18:11 EDT
Created attachment 817198 [details]
0001-server-crash-with-bogus-GER-attribute-list.patch
Comment 2 Rich Megginson 2013-10-29 19:18:50 EDT
Comment on attachment 817198 [details]
0001-server-crash-with-bogus-GER-attribute-list.patch

patch against master branch.  may take some editing to apply to other branches - 1.2.11, 8.2, etc.
Comment 3 Rich Megginson 2013-10-29 19:20:00 EDT
Added test to ger npattr.sh - no regressions in GER with patch
Comment 4 Rich Megginson 2013-10-29 19:22:06 EDT
Index: npattr.sh
===================================================================
--- npattr.sh	(revision 8190)
+++ npattr.sh	(working copy)
@@ -5,7 +5,7 @@
 NPATTR_BASEDN="o=npattr"
 tet_startup="ServerInfo"
 tet_cleanup=""
-iclist="ic1 ic2 ic3 ic4 ic5 ic6 ic7 ic8 ic9 ic10 ic11 ic12 ic13 ic14 ic15 ic16 ic17 ic18 ic19 ic20 ic21 ic22 ic23 ic24 ic25" 
+iclist="ic1 ic2 ic3 ic4 ic5 ic6 ic7 ic8 ic9 ic10 ic11 ic12 ic13 ic14 ic15 ic16 ic17 ic18 ic19 ic20 ic21 ic22 ic23 ic24 ic25 ic26" 
 
 ic1="tp1"
 ic2="tp2"
@@ -32,6 +32,7 @@
 ic23="tp23"
 ic24="tp24"
 ic25="tp25"
+ic26="bz1024552"
 
 TestSuiteName="ger"
 export TestSuiteName
@@ -467,7 +468,26 @@
 restore_default_aci
 }
 
+bz1024552() {
+    tchead "$tet_thistest: crash the server with a well crafted list of GER search attrs"
+    num=128
+    ii=1
+    attrs=""
+    while [ $ii -le $num ] ; do
+        attrs="$attrs ${ii}@${ii} @$ii ${ii}@ ${ii}@${ii}@${ii}"
+        ii=`expr $ii + 1`
+    done
+	if $LDAPSEARCH -h "$LDAPhost" -p $LDAPport -b "$NPATTR_BASEDN" 'objectclass=*' $attrs > /dev/null ; then
+        result PASS
+        return 0
+    else
+        message "ldapsearch failed $?"
+        result FAIL
+        return 1
+    fi
+}
 
+
 ######################################################################
 ######################################################################
 ######################################################################
Comment 10 Rich Megginson 2013-10-30 13:40:32 EDT
The problem is when an attribute list is given in the search request, and there are several attributes whose names contain the "@" character.
Comment 15 Rich Megginson 2013-10-30 16:02:18 EDT
Comment on attachment 817198 [details]
0001-server-crash-with-bogus-GER-attribute-list.patch

reviewed by nhosoi (Thanks!)
Comment 18 Huzaifa S. Sidhpurwala 2013-11-21 03:18:18 EST
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1032898]
Affects: epel-5 [bug 1032899]
Comment 19 errata-xmlrpc 2013-11-21 19:33:40 EST
This issue has been addressed in following products:

  Red Hat Directory Server 8 for RHEL 5

Via RHSA-2013:1753 https://rhn.redhat.com/errata/RHSA-2013-1753.html
Comment 20 errata-xmlrpc 2013-11-21 19:34:35 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1752 https://rhn.redhat.com/errata/RHSA-2013-1752.html
Comment 21 Fedora Update System 2013-11-25 23:13:23 EST
389-ds-base-1.3.2.7-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2013-12-03 05:31:43 EST
389-ds-base-1.3.1.16-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2014-01-13 15:07:59 EST
389-ds-base-1.2.11.25-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 24 Fedora Update System 2014-01-14 03:38:59 EST
389-ds-base-1.3.0.9-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.