Solar Eclipse

solareclipse at phreedom dot org

index

openldap-kbind-p00f

OpenLDAP kbind authentication remote exploit

openldap-kbind-p00f is a remote exploit for a buffer overflow in the Kerberos KBIND authentication code in the OpenLDAP slapd server. The vulnerable code is enabled only when OpenLDAP is compiled with the --enable-kbind option, which has been disabled by default since version 2.0.2 and was removed from the configure script in the 2.1 release. The chance of finding a real system that is still vulnerable is minimal, however the code is still available in the latest 2.4.3alpha version of OpenLDAP and can be enabled manually. The vulnerability was assigned CVE-2006-6493.

Downloads

Screenshot

$ ./openldap-kbind-p00f.exe 127.0.0.1 cn=Manager,dc=my-domain,dc=com
: openldap-kbind-p00f.c - OpenLDAP kbind remote exploit

: Only works on servers compiled with
    --enable-kbind    enable LDAPv2+ Kerberos IV bind (deprecated) [no]

: by Solar Eclipse <solareclipse@phreedom.org>

Sending shellcode
Reading bind result
Spawning shell...
uid=439(ldap) gid=439(ldap) groups=439(ldap)
ldap@localhost / $

Vulnerability description

The vulnerability is in the krbv4_ldap_auth function in servers/slapd/kerberos.c. This function processes LDAP bind requests that specify the LDAP_AUTH_KRBV41 authentication method. The cred variable contains a pointer to the Kerberos authentication data sent by the client. The length of the data is not checked before it is copied into a fixed size buffer on the stack. Sending a bind request with more than 1250 bytes of credential data will result in a buffer overflow.

krbv4_ldap_auth(
    Backend     *be,
    struct berval   *cred,
    AUTH_DAT        *ad
)
{
    KTEXT_ST        k;
    KTEXT           ktxt = &k;
    char            instance[INST_SZ];
    int             err;

    Debug( LDAP_DEBUG_TRACE, "=> kerberosv4_ldap_auth\n", 0, 0, 0 );

    AC_MEMCPY( ktxt->dat, cred->bv_val, cred->bv_len );
    ktxt->length = cred->bv_len;

This vulnerability was found using grep :-)

Exploitation

The exploitation of this vulnerability requries a server that was compiled with the --enable-kbind option and allows the use of the LDAPv2 protocol. A valid distinguished name must be specified for the bind request to reach the vulnerable function.

The vulnerability is a classic stack buffer overflow and its exploitation is trivial.

Valid XHTML 1.1!