[email protected] wrote: > Full_Name: Denis Andzakovic > Version: 2.4.42 > OS: Debian 8 > URL: > Submission from: (NULL) (2402:6000:110:a01:743b:8319:1f96:bd89) > > > OpenLDAP ber_get_next Denial of Service > Affected Versions: OpenLDAP <= 2.4.42 > > +-------------+ > | Description | > +-------------+ > This document details a vulnerability found within the OpenLDAP server > daemon. A > Denial of Service vulnerability was discovered within the slapd daemon, > allowing > an unauthenticated attacker to crash the OpenLDAP server. > > By sending a crafted packet, an attacker may cause the OpenLDAP server to > reach > an assert(9 9 statement, crashing the daemon. This was tested on OpenLDAP > 2.4.42 > (built with GCC 4.9.2) and OpenLDAP 2.4.40 installed from the Debian package > repository.
Thanks for the report. Fixed now in git master. > +--------------+ > | Exploitation | > +--------------+ > By sending a crafted packet, an attacker can cause the OpenLDAP daemon to > crash > with a SIGABRT. This is due to an assert() call within the ber_get_next method > (io.c line 682) that is hit when decoding tampered BER data. > > The following proof of concept exploit can be used to trigger the condition: > > --[ Exploit POC > echo "/4SEhISEd4MKYj5ZMgAAAC8=" | base64 -d | nc -v 127.0.0.1 389 It's easier to just pipe this into liblber/dtest. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
