AOH :: HP Unsorted O :: C07-1287.HTM

OpenLDAP kbind authentication buffer overflow
OpenLDAP kbind authentication buffer overflow
OpenLDAP kbind authentication buffer overflow

There is a remotely exploitable buffer overflow in the Kerberos KBIND
authentication code in the OpenLDAP slapd server.

The vulnerability is in the krbv4_ldap_auth function in
servers/slapd/kerberos.c. This function processes LDAP bind requests that
specify the LDAP_AUTH_KRBV41 authentication method. The cred variable contains
a pointer to the Kerberos authentication data sent by the client. The length of
the data is not checked before it is copied into a fixed size buffer on the
stack. Sending a bind request with more than 1250 bytes of credential data will
result in a buffer overflow. The vulnerable code is given below:

krbv4_ldap_auth(Backend *be, struct berval *cred, AUTH_DAT *ad)
    KTEXT_ST        k;
    KTEXT           ktxt = &k;
    char            instance[INST_SZ];
    int             err;

    Debug( LDAP_DEBUG_TRACE, "=> kerberosv4_ldap_auth\n", 0, 0, 0 );

    AC_MEMCPY( ktxt->dat, cred->bv_val, cred->bv_len );

There should be a length check before the call to memcpy.

The vulnerable code is enabled only when OpenLDAP is compiled with the
--enable-kbind option, which has been disabled by default since version 2.0.2
and was removed from the configure script in the 2.1 release. The chance of
finding a real system that is still vulnerable is minimal, however the code is
still available in the latest 2.4.3 version of OpenLDAP and can be enabled
manually as described in 

For more details and exploit code see 

Solar Eclipse

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to