Bug 1024552 (CVE-2013-4485) - CVE-2013-4485 389-ds-base: DoS due to improper handling of ger attr searches
Summary: CVE-2013-4485 389-ds-base: DoS due to improper handling of ger attr searches
Keywords:
Status: NEW
Alias: CVE-2013-4485
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1024977 1024978 1024979 1024980 1032898 1032899
Blocks: 1024971
TreeView+ depends on / blocked
 
Reported: 2013-10-29 22:36 UTC by Vincent Danen
Modified: 2019-09-29 13:09 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)
0001-server-crash-with-bogus-GER-attribute-list.patch (3.75 KB, patch)
2013-10-29 23:18 UTC, Rich Megginson
rmeggins: review+
Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1752 normal SHIPPED_LIVE Important: 389-ds-base security update 2013-11-21 09:36:24 UTC
Red Hat Product Errata RHSA-2013:1753 normal SHIPPED_LIVE Important: redhat-ds-base security update 2013-11-21 09:36:15 UTC

Description Vincent Danen 2013-10-29 22:36:08 UTC
A flaw in how 389-ds-base and Red Hat Directory Server handled the checking of access rights on entries using GER (Get Effective Rights), a way to extend directory searches to also display what access rights a user has to a specified entry.  When an attribute list is given in the search request, and if there are several attributes whose names contain the '@' character, 389-ds-base and Red Hat Directory Server would crash.  An attacker able to contact the server would be able to submit this type of search request with no authentication required.

Comment 1 Rich Megginson 2013-10-29 23:18:11 UTC
Created attachment 817198 [details]
0001-server-crash-with-bogus-GER-attribute-list.patch

Comment 2 Rich Megginson 2013-10-29 23:18:50 UTC
Comment on attachment 817198 [details]
0001-server-crash-with-bogus-GER-attribute-list.patch

patch against master branch.  may take some editing to apply to other branches - 1.2.11, 8.2, etc.

Comment 3 Rich Megginson 2013-10-29 23:20:00 UTC
Added test to ger npattr.sh - no regressions in GER with patch

Comment 4 Rich Megginson 2013-10-29 23:22:06 UTC
Index: npattr.sh
===================================================================
--- npattr.sh	(revision 8190)
+++ npattr.sh	(working copy)
@@ -5,7 +5,7 @@
 NPATTR_BASEDN="o=npattr"
 tet_startup="ServerInfo"
 tet_cleanup=""
-iclist="ic1 ic2 ic3 ic4 ic5 ic6 ic7 ic8 ic9 ic10 ic11 ic12 ic13 ic14 ic15 ic16 ic17 ic18 ic19 ic20 ic21 ic22 ic23 ic24 ic25" 
+iclist="ic1 ic2 ic3 ic4 ic5 ic6 ic7 ic8 ic9 ic10 ic11 ic12 ic13 ic14 ic15 ic16 ic17 ic18 ic19 ic20 ic21 ic22 ic23 ic24 ic25 ic26" 
 
 ic1="tp1"
 ic2="tp2"
@@ -32,6 +32,7 @@
 ic23="tp23"
 ic24="tp24"
 ic25="tp25"
+ic26="bz1024552"
 
 TestSuiteName="ger"
 export TestSuiteName
@@ -467,7 +468,26 @@
 restore_default_aci
 }
 
+bz1024552() {
+    tchead "$tet_thistest: crash the server with a well crafted list of GER search attrs"
+    num=128
+    ii=1
+    attrs=""
+    while [ $ii -le $num ] ; do
+        attrs="$attrs ${ii}@${ii} @$ii ${ii}@ ${ii}@${ii}@${ii}"
+        ii=`expr $ii + 1`
+    done
+	if $LDAPSEARCH -h "$LDAPhost" -p $LDAPport -b "$NPATTR_BASEDN" 'objectclass=*' $attrs > /dev/null ; then
+        result PASS
+        return 0
+    else
+        message "ldapsearch failed $?"
+        result FAIL
+        return 1
+    fi
+}
 
+
 ######################################################################
 ######################################################################
 ######################################################################

Comment 10 Rich Megginson 2013-10-30 17:40:32 UTC
The problem is when an attribute list is given in the search request, and there are several attributes whose names contain the "@" character.

Comment 15 Rich Megginson 2013-10-30 20:02:18 UTC
Comment on attachment 817198 [details]
0001-server-crash-with-bogus-GER-attribute-list.patch

reviewed by nhosoi (Thanks!)

Comment 18 Huzaifa S. Sidhpurwala 2013-11-21 08:18:18 UTC
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1032898]
Affects: epel-5 [bug 1032899]

Comment 19 errata-xmlrpc 2013-11-22 00:33:40 UTC
This issue has been addressed in following products:

  Red Hat Directory Server 8 for RHEL 5

Via RHSA-2013:1753 https://rhn.redhat.com/errata/RHSA-2013-1753.html

Comment 20 errata-xmlrpc 2013-11-22 00:34:35 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1752 https://rhn.redhat.com/errata/RHSA-2013-1752.html

Comment 21 Fedora Update System 2013-11-26 04:13:23 UTC
389-ds-base-1.3.2.7-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2013-12-03 10:31:43 UTC
389-ds-base-1.3.1.16-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2014-01-13 20:07:59 UTC
389-ds-base-1.2.11.25-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2014-01-14 08:38:59 UTC
389-ds-base-1.3.0.9-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.