A DoS flaw was reported to the OpenLDAP BTS: http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580 The bug states: This vulnerability allows remote attackers to deny services on vulnerable installations of OpenLDAP. Authentication is not required to exploit this vulnerability. The specific flaw exists in the decoding of ASN.1 BER network datagrams. When the size of a BerElement is specified incorrectly, the application will trigger an assert(), leading to abnormal program termination. Tech Details: The code exhibiting the problem is located in the function ber_get_next() function in "libraries/liblber/io.c" . The function fails to handle properly BER encoding of an element (tag + length + content) that contains: * exactly 4 bytes long "multi-byte tag" * exactly 4 bytes long "multi-byte size" The total size of the resulting encoding equals to the size of the BerElement structure buffer plus one byte. This causes the function returns indicating that more data are needed, but leaves the read-pointer pointing right at the end of the buffer, which is not permitted. Subsequent calls to the function result in an assertion failure: assert( 0 ); /* ber structure is messed up ?*/ Example Exploitation: > slapd -h ldap:// -d511 & ... > xxd packet 0000000: ffff ff00 8441 4243 44 .....ABCD > nc localhost 389 < packet
Created attachment 310609 [details] Patch from upstream CVE This patch came from here: http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1=1.120&r2=1.121&hideattic=1&sortbydate=0
The testcase only crashes the Red Hat Enterprise Linux 4 and 5 versions of openldap. The 2.1 and 3 versions seem to handle this just fine.
Original upstream patch was reported to be broken: http://www.openwall.com/lists/oss-security/2008/07/02/2 Different patch applied upstream: http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1=1.121&r2=1.122&f=h
openldap-2.3.39-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
openldap-2.4.8-6.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0583.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6029 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-6062
ZDI advisory related to this issue: http://marc.info/?l=full-disclosure&m=121873649307918&w=4