A flaw in how 389-ds-base and Red Hat Directory Server handled the checking of access rights on entries using GER (Get Effective Rights), a way to extend directory searches to also display what access rights a user has to a specified entry. When an attribute list is given in the search request, and if there are several attributes whose names contain the '@' character, 389-ds-base and Red Hat Directory Server would crash. An attacker able to contact the server would be able to submit this type of search request with no authentication required.
Created attachment 817198 [details] 0001-server-crash-with-bogus-GER-attribute-list.patch
Comment on attachment 817198 [details] 0001-server-crash-with-bogus-GER-attribute-list.patch patch against master branch. may take some editing to apply to other branches - 1.2.11, 8.2, etc.
Added test to ger npattr.sh - no regressions in GER with patch
Index: npattr.sh =================================================================== --- npattr.sh (revision 8190) +++ npattr.sh (working copy) @@ -5,7 +5,7 @@ NPATTR_BASEDN="o=npattr" tet_startup="ServerInfo" tet_cleanup="" -iclist="ic1 ic2 ic3 ic4 ic5 ic6 ic7 ic8 ic9 ic10 ic11 ic12 ic13 ic14 ic15 ic16 ic17 ic18 ic19 ic20 ic21 ic22 ic23 ic24 ic25" +iclist="ic1 ic2 ic3 ic4 ic5 ic6 ic7 ic8 ic9 ic10 ic11 ic12 ic13 ic14 ic15 ic16 ic17 ic18 ic19 ic20 ic21 ic22 ic23 ic24 ic25 ic26" ic1="tp1" ic2="tp2" @@ -32,6 +32,7 @@ ic23="tp23" ic24="tp24" ic25="tp25" +ic26="bz1024552" TestSuiteName="ger" export TestSuiteName @@ -467,7 +468,26 @@ restore_default_aci } +bz1024552() { + tchead "$tet_thistest: crash the server with a well crafted list of GER search attrs" + num=128 + ii=1 + attrs="" + while [ $ii -le $num ] ; do + attrs="$attrs ${ii}@${ii} @$ii ${ii}@ ${ii}@${ii}@${ii}" + ii=`expr $ii + 1` + done + if $LDAPSEARCH -h "$LDAPhost" -p $LDAPport -b "$NPATTR_BASEDN" 'objectclass=*' $attrs > /dev/null ; then + result PASS + return 0 + else + message "ldapsearch failed $?" + result FAIL + return 1 + fi +} + ###################################################################### ###################################################################### ######################################################################
The problem is when an attribute list is given in the search request, and there are several attributes whose names contain the "@" character.
Comment on attachment 817198 [details] 0001-server-crash-with-bogus-GER-attribute-list.patch reviewed by nhosoi (Thanks!)
Created 389-ds-base tracking bugs for this issue: Affects: fedora-all [bug 1032898] Affects: epel-5 [bug 1032899]
This issue has been addressed in following products: Red Hat Directory Server 8 for RHEL 5 Via RHSA-2013:1753 https://rhn.redhat.com/errata/RHSA-2013-1753.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1752 https://rhn.redhat.com/errata/RHSA-2013-1752.html
389-ds-base-1.3.2.7-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
389-ds-base-1.3.1.16-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
389-ds-base-1.2.11.25-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
389-ds-base-1.3.0.9-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.