OpenLDAP KBIND authentication buffer overflow

CVE-2006-6493

Public disclosure: Aug 8, 2002
Vendor patch: OpenLDAP 2.3.31

Systems affected

  • OpenLDAP 2.3.30 and lower
  • OpenLDAP 2.4.0 to 2.4.2

Overview

There is a remotely exploitable buffer overflow in the Kerberos KBIND authentication code in the OpenLDAP slapd server. The vulnerable code is enabled only when OpenLDAP is compiled with the --enable-kbind option, which has been disabled by default since version 2.0.2 and was removed from the configure script in the 2.1 release. The chance of finding a real system that is still vulnerable is minimal.

Technical details

The vulnerability is in the krbv4_ldap_auth function in servers/slapd/kerberos.c. This function processes LDAP bind requests that specify the LDAP_AUTH_KRBV41 authentication method. The cred variable contains a pointer to the Kerberos authentication data sent by the client. The length of the data is not checked before it is copied into a fixed size buffer on the stack. Sending a bind request with more than 1250 bytes of credential data will result in a buffer overflow.

krbv4_ldap_auth(
    Backend     *be,
    struct berval   *cred,
    AUTH_DAT        *ad
)
{
    KTEXT_ST        k;
    KTEXT           ktxt = &k;
    char            instance[INST_SZ];
    int             err;

    Debug( LDAP_DEBUG_TRACE, "=> kerberosv4_ldap_auth\n", 0, 0, 0 );

    AC_MEMCPY( ktxt->dat, cred->bv_val, cred->bv_len );
    ktxt->length = cred->bv_len;

    ...
}

Exploitation

The exploitation of this vulnerability requries a server that was compiled with the --enable-kbind option and allows the use of the LDAPv2 protocol. A valid distinguished name must be specified for the bind request to reach the vulnerable function.

An exploit for this vulnerability is available.

Credit

Discovery: Alexander Sotirov