640597 – sssd is not escaping correctly LDAP searches

Bug 640597 - sssd is not escaping correctly LDAP searches

Summary: sssd is not escaping correctly LDAP searches

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	sssd
Sub Component:
Version:	el5
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Stephen Gallagher
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	640601 640602
TreeView+	depends on / blocked

Reported:	2010-10-06 12:40 UTC by Loris Santamaria
Modified:	2020-05-02 16:16 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Clones:	640601 640602 (view as bug list)
Environment:
Last Closed:	2011-08-25 15:45:07 UTC
Type:	---
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 1681	0	None	closed	sssd is not escaping correctly LDAP searches	2020-07-01 08:49:37 UTC

Description Loris Santamaria 2010-10-06 12:40:49 UTC

Description of problem:

sssd is not escaping correctly LDAP searches, and when it receives an error from the LDAP server is going offline

Version-Release number of selected component (if applicable):

sssd-1.2.1-27.el5

How reproducible:

always

Steps to Reproduce:

I noticed that sssd in some of our servers was going offline with no apparent reason, so bumping up the debug_level I found this in the logs:

(Wed Oct  6 07:27:09 2010) [sssd[be[ALMACARONI]]] [be_get_account_info] (4): Got request for [4097][1][name=hacienda\eladio]
(Wed Oct  6 07:27:09 2010) [sssd[be[ALMACARONI]]] [sdap_get_generic_send] (3): ldap_search_ext failed: Bad search filter
(Wed Oct  6 07:27:09 2010) [sssd[be[ALMACARONI]]] [be_run_offline_cb] (3): Going offline. Running callbacks.

A bit of investigation turned up that the query was initiated by winbind, which was running on the server, so it was a matter of changing the "winbind separator" and restarting winbind and sssd to hide the problem.

Now is evident that this is a bug in SSSD, where it is sufficient that any user queryiing for a username with an '\' in its name to have SSSD going offline.

I reproduced this executing "id hacienda\\eladio"

Comment 1 Vincent Danen 2010-10-29 16:16:54 UTC

You note how this can be triggered, so I'm trying to determine the exact vector here.  It looks as though samba might be a way to trigger this, so it would be something that could be done remotely?  Is it possible to do this via ssh or other remote login mechanisms, or can it only be done locally?  Finally, does this require a valid account lookup to trigger?  Doing 'id joe\\blow' on my Fedora 13 box yields nothing in /var/log/{secure,messages} (but perhaps this is fixed in newer SSSD).

Comment 4 Loris Santamaria 2010-10-29 17:52:19 UTC

Indeed on Fedora 13 (sssd-1.3.0) the bahavior is different, trying a ssh
connection like "ssh -l joe\\blow localhost" leds to the following messages in
the sssd logs:

(Fri Oct 29 12:11:12 2010) [sssd[be[LGS.COM.VE]]] [be_get_account_info] (4):
Got request for [4097][1][name=joe\blow]
(Fri Oct 29 12:11:12 2010) [sssd[be[LGS.COM.VE]]] [fo_resolve_service_send]
(4): Trying to resolve service 'IPA'
(Fri Oct 29 12:11:12 2010) [sssd[be[LGS.COM.VE]]] [be_resolve_server_done] (4):
Found address for server XXXXXX: [YYYYY]
(Fri Oct 29 12:11:13 2010) [sssd[be[LGS.COM.VE]]] [sasl_bind_send] (4):
Executing sasl bind mech: GSSAPI, user: host/ZZZZZZZ
(Fri Oct 29 12:11:13 2010) [sssd[be[LGS.COM.VE]]] [child_sig_handler] (4):
child [5751] finished successfully.
(Fri Oct 29 12:11:13 2010) [sssd[be[LGS.COM.VE]]] [fo_set_port_status] (4):
Marking port 0 of server 'XXXXXX' as 'working'
(Fri Oct 29 12:11:13 2010) [sssd[be[LGS.COM.VE]]] [set_server_common_status]
(4): Marking server 'XXXXXX' as 'working'
(Fri Oct 29 12:11:13 2010) [sssd[be[LGS.COM.VE]]] [sdap_get_generic_send] (3):
ldap_search_ext failed: Bad search filter
(Fri Oct 29 12:11:13 2010) [sssd[be[LGS.COM.VE]]] [sdap_id_op_done] (5):
communication error on cached connection, moving to next server

So sssd 1.3.0 still sends the incorrectly escaped username to the ldap server
but at least it tries to connect again after receiving the error.

On a RHEL 5 system this bug is a sort of a denial of service because any remote
user can trigger the offline mode of sssd, and if one does not have the
credential cache active is effectively locked out of the box.

Comment 6 Vincent Danen 2010-10-29 18:05:17 UTC

(In reply to comment #4)
> Indeed on Fedora 13 (sssd-1.3.0) the bahavior is different, trying a ssh
> connection like "ssh -l joe\\blow localhost" leds to the following messages in
> the sssd logs:

Interesting.  Can you provide your /etc/pam.d/system-auth and /etc/sssd/sssd.conf configuration files to assist in reproducing?  I am unable to reproduce this here (using LDAP+kerberos authentication).  Also, those log messages are coming from which file, exactly?  A log file in /var/log/sssd/?

Thanks.

Comment 7 Stephen Gallagher 2010-10-29 18:16:50 UTC

I tested on Fedora 14, and it actually depends on which character follows the \ in the request. For \e (as in the example in the original comment), it still causes the offline behaviour even on SSSD 1.3.0 and 1.4.0.

However, with \b I saw the same as you did above. So the problem does still exist.

Comment 9 Dmitri Pal 2010-11-01 21:17:06 UTC

For easier references: https://fedorahosted.org/sssd/ticket/639

Comment 10 Stephen Gallagher 2011-08-25 15:45:07 UTC

This bug is fixed in the RHEL 5.7 packages. SSSD is no longer supported in Fedora EPEL.

Note You need to log in before you can comment on or make changes to this bug.