ldap vulnerabilities
Date: Mon, 6 May 2002 03:29:42 -0700
From: [email protected]
To: [email protected], [email protected],
Subject: ldap vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --- Blackshell Advisory # 5 ---
Local Format String Vuln in pam_ldap and remote in squid_auth_ldap
- --- Blackshell Advisory # 5 ---
- --- Versions Affected ---
pam_ldap:
143 prior
vendor status: nil
squid_auth_ldap:
2.0 prior
vendor status: nil
- --- What is PAM? ---
PAM stands for pluggable authentication module
it lets you authenticate from one service to another
- --- What is Squid Auth Modules? ---
Squid authentication modules aloow you to connect to
external services through the squid caching server.
adds ldap:// functionability to the squid server
- --- Details ---
- --- in pam_ldap ---
fp = fopen (configFile, "r");
if (fp == NULL)
{
/*
* According to PAM Documentation, such an error in a config file
* SHOULD be logged at LOG_ALERT level
*/
snprintf (errmsg, sizeof (errmsg), "pam_ldap: missing file \"%s\"",
configFile);
syslog (LOG_ALERT, errmsg);
return PAM_SERVICE_ERR;
}
configfile is defined as:
else if (!strncmp (argv[i], "config=", 7))
configFile = argv[i] + 7;
in the main function.
- --- in squid_auth_ldap ---
void logging( int ll, const char* fmt, ... )
{
char buffer[1024];
va_list ap;
va_start( ap, fmt );
vsnprintf( buffer, 1024, fmt, ap );
if( ll == DEBUG && _logLevel >= DEBUG )
{
syslog( LOG_INFO, buffer );
/*#ifdef DEBUG
printf("DEBUG\n");
#endif*/
}
else
if( ll == WARN && _logLevel >= WARN )
{
syslog( LOG_INFO, buffer );
/*#ifdef DEBUG
printf("WARN\n");
#endif*/
}
else
if( ll == INFO && _logLevel >= INFO )
{
syslog( LOG_INFO, buffer );
/*#ifdef DEBUG
printf("INFO\n");
#endif*/
}
else
if( ll == RUN && _logLevel >= RUN )
{
syslog( LOG_INFO, buffer );
/*#ifdef DEBUG
printf("RUN\n");
#endif*/
}
}
vulnerable calls to the function logging() would include:
ldap_utils.c: logging( INFO, "- password check for %s", dn );
ldap_utils.c: logging( DEBUG, "- (%d) %s", i, val[i] );
ldap_utils.c: logging( DEBUG, "- open connection to ldapserver: %s:%d", ldapServer, ldapPort);
ldap_utils.c: logging( WARN, "- cannot login to: %s:%d", ldapServer, ldapPort);
ldap_utils.c: logging( DEBUG, "- search for: %s", searchStr );
ldap_utils.c: logging( DEBUG, "- entry found: %s", grpDN );
ldap_utils.c: logging( DEBUG, "- searchstr: %s", searchStr );
ldap_utils.c: logging( DEBUG, "- start searching for uid: %s", uid );
ldap_utils.c: logging( WARN, "- user \"%s\", not found!\n", uid);
ldap_utils.c: logging( DEBUG, "- DN found: %s", udn );
ldap_utils.c: logging( DEBUG, "- is user %s in %s\n", dn, gdn );
ldap_utils.c: logging( DEBUG, "- user \"%s\" is in Group \"%s\"", dn, gdn );
ldap_utils.c: logging( DEBUG, "- user \"%s\" is NOT in Group \"%s\"", dn, gdn );
main.c: logging( RUN, "%s - %s - starting", PROG, VERS );
main.c: logging( RUN, "- find DN for group %s\n", conf.pxyGroup );
main.c: logging( WARN, "- unable to find group: %s", conf.pxyGroup );
main.c: logging( DEBUG, "- group DN: %s", dnGrp );
main.c: logging( RUN, "%s - %s - ready", PROG, VERS );
main.c: logging( RUN, "- unable to connect to LDAP server: %s:%d", conf.ldapServer, conf.ldapPort);
main.c: logging( DEBUG, "- connected to ldapServer %s:%d", conf.ldapServer, conf.ldapPort);
main.c: logging( RUN, "- unable to connect to LDAP server: %s:%d", conf.ldapServer, conf.ldapPort);
main.c: logging( DEBUG, "- connected to ldapServer %s:%d", conf.ldapServer, conf.ldapPort);
main.c: logging( RUN, "%s - %s - stopping", PROG, VERS );
main.c: logging( DEBUG, "- user string: |%s|", buf);
main.c: logging( DEBUG, "- got User: %s", user );
main.c: logging( DEBUG, "- got Password: %s", crypt (pass, "42") );
options.c: logging(DEBUG,"- ldapServer: %s ", conf->ldapServer );
options.c: logging(DEBUG,"- searchBase: %s ", conf->searchBase );
options.c: logging(DEBUG,"- pxyGroup: %s ", conf->pxyGroup );
options.c: logging(DEBUG,"- confFile: %s ", conf->confFile );
- --- hellos ---
contributors to blackshell
Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/
Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
wl8EARECAB8FAjzWXpMYHGJsYWNrc2hlbGxAaHVzaG1haWwuY29tAAoJED2VGGGCU8ut
VJ8An1vCesmFEIEbBJ+O5Yt1cxahmjUAAJ9bBOYREsMHke8IBmutnguhbHU3XA==
=v4NU
-----END PGP SIGNATURE-----
