Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps N-Z :: lnx5454.htm

pam_ldap format string vulnerability



14th Jun 2002
COMMAND

	pam_ldap format string vulnerability

SYSTEMS AFFECTED

	nss_ldap packages prior to nss_ldap-189-1.6.2

PROBLEM

	In Blackshell Advisory # 5 a Local Format String Vulnerability has  been
	found in pam_ldap :
	

	fp = fopen (configFile, "r");
	

	

	  if (fp == NULL) 

	    { 

	      /* 

	       * According to PAM Documentation, such an error in a config file 

	       * SHOULD be logged at LOG_ALERT level 

	       */ 

	      snprintf (errmsg, sizeof (errmsg), "pam_ldap: missing file \"%s\"", 

	                configFile); 

	      syslog (LOG_ALERT, errmsg); 

	      return PAM_SERVICE_ERR; 

	    } 

	

	

	configfile is defined as:
	

	

	      else if (!strncmp (argv[i], "config=", 7)) 

	        configFile = argv[i] + 7; 

	

	

	in the main function.
	

	

	vulnerable calls to the function logging() would include:
	

	

	ldap_utils.c:  logging(  INFO,  "-  password  check  for  %s",   dn   );
	ldap_utils.c: logging( DEBUG, "- (%d) %s", i,  val[i]  );  ldap_utils.c:
	logging( DEBUG, "- open connection to  ldapserver:  %s:%d",  ldapServer,
	ldapPort); ldap_utils.c: logging( WARN,  "-  cannot  login  to:  %s:%d",
	ldapServer, ldapPort); ldap_utils.c:  logging(  DEBUG,  "-  search  for:
	%s", searchStr ); ldap_utils.c: logging( DEBUG,  "-  entry  found:  %s",
	grpDN ); ldap_utils.c: logging( DEBUG, "- searchstr: %s",  searchStr  );
	ldap_utils.c: logging( DEBUG, "- start searching for uid:  %s",  uid  );
	ldap_utils.c: logging(  WARN,  "-  user  \"%s\",  not  found!\n",  uid);
	ldap_utils.c: logging( DEBUG, "- DN found:  %s",  udn  );  ldap_utils.c:
	logging( DEBUG, "- is  user  %s  in  %s\n",  dn,  gdn  );  ldap_utils.c:
	logging( DEBUG,  "-  user  \"%s\"  is  in  Group  \"%s\"",  dn,  gdn  );
	ldap_utils.c: logging( DEBUG, "- user \"%s\" is NOT  in  Group  \"%s\"",
	dn, gdn ); main.c: logging( RUN, "%s - %s -  starting",  PROG,  VERS  );
	main.c: logging( RUN, "- find  DN  for  group  %s\n",  conf.pxyGroup  );
	main.c: logging( WARN, "- unable to find group:  %s",  conf.pxyGroup  );
	main.c: logging( DEBUG, "- group DN:  %s",  dnGrp  );  main.c:  logging(
	RUN, "%s - %s - ready", PROG, VERS ); main.c: logging(  RUN,  "-  unable
	to connect to  LDAP  server:  %s:%d",  conf.ldapServer,  conf.ldapPort);
	main.c:   logging(   DEBUG,   "-   connected   to   ldapServer   %s:%d",
	conf.ldapServer, conf.ldapPort); main.c:  logging(  RUN,  "-  unable  to
	connect  to  LDAP  server:  %s:%d",   conf.ldapServer,   conf.ldapPort);
	main.c:   logging(   DEBUG,   "-   connected   to   ldapServer   %s:%d",
	conf.ldapServer, conf.ldapPort);  main.c:  logging(  RUN,  "%s  -  %s  -
	stopping", PROG, VERS ); main.c: logging( DEBUG, "- user string:  |%s|",
	buf); main.c:  logging(  DEBUG,  "-  got  User:  %s",  user  );  main.c:
	logging( DEBUG, "- got Password: %s", crypt (pass, "42")  );  options.c:
	logging(DEBUG,"-  ldapServer:  %s  ",  conf->ldapServer  );   options.c:
	logging(DEBUG,"-  searchBase:  %s  ",  conf->searchBase  );   options.c:
	logging(DEBUG,"-  pxyGroup:   %s   ",   conf->pxyGroup   );   options.c:
	logging(DEBUG,"- confFile: %s ", conf->confFile );
	

	

	

SOLUTION

	Upgrade your nss_lda


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH