Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps N-Z :: lnx5455.htm

pam_ldap format string vulnerability



14th Jun 2002 [SBWID-5455]
COMMAND

	pam_ldap format string vulnerability

SYSTEMS AFFECTED

	nss_ldap packages prior to nss_ldap-189-1.6.2

PROBLEM

	In Blackshell Advisory # 5 a Local Format String Vulnerability has  been
	found in pam_ldap :
	

	

	fp = fopen (configFile, \"r\"); 

	

	

	  if (fp == NULL) 

	    { 

	      /* 

	       * According to PAM Documentation, such an error in a config file 

	       * SHOULD be logged at LOG_ALERT level 

	       */ 

	      snprintf (errmsg, sizeof (errmsg), \"pam_ldap: missing file \\\"%s\\\"\", 

	                configFile); 

	      syslog (LOG_ALERT, errmsg); 

	      return PAM_SERVICE_ERR; 

	    } 

	

	

	

	configfile is defined as:
	

	

	      else if (!strncmp (argv[i], \"config=\", 7)) 

	        configFile = argv[i] + 7; 

	

	in the main function.
	

	

	vulnerable calls to the function logging() would include:
	

	

	ldap_utils.c: logging( INFO, \"- password check for %s\", dn ); 

	ldap_utils.c: logging( DEBUG, \"- (%d) %s\", i, val[i] ); 

	ldap_utils.c: logging( DEBUG, \"- open connection to ldapserver: %s:%d\", ldapServer, ldapPort); 

	ldap_utils.c: logging( WARN, \"- cannot login to: %s:%d\", ldapServer, ldapPort); 

	ldap_utils.c: logging( DEBUG, \"- search for: %s\", searchStr ); 

	ldap_utils.c: logging( DEBUG, \"- entry found: %s\", grpDN ); 

	ldap_utils.c: logging( DEBUG, \"- searchstr: %s\", searchStr ); 

	ldap_utils.c: logging( DEBUG, \"- start searching for uid: %s\", uid ); 

	ldap_utils.c: logging( WARN, \"- user \\\"%s\\\", not found!\\n\", uid); 

	ldap_utils.c: logging( DEBUG, \"- DN found: %s\", udn ); 

	ldap_utils.c: logging( DEBUG, \"- is user %s in %s\\n\", dn, gdn ); 

	ldap_utils.c: logging( DEBUG, \"- user \\\"%s\\\" is in Group \\\"%s\\\"\", dn, gdn ); 

	ldap_utils.c: logging( DEBUG, \"- user \\\"%s\\\" is NOT in Group \\\"%s\\\"\", dn, gdn ); 

	main.c: logging( RUN, \"%s - %s - starting\", PROG, VERS ); 

	main.c: logging( RUN, \"- find DN for group %s\\n\", conf.pxyGroup ); 

	main.c: logging( WARN, \"- unable to find group: %s\", conf.pxyGroup ); 

	main.c: logging( DEBUG, \"- group DN: %s\", dnGrp ); 

	main.c: logging( RUN, \"%s - %s - ready\", PROG, VERS ); 

	main.c: logging( RUN, \"- unable to connect to LDAP server: %s:%d\", conf.ldapServer, conf.ldapPort); 

	main.c: logging( DEBUG, \"- connected to ldapServer %s:%d\", conf.ldapServer, conf.ldapPort); 

	main.c: logging( RUN, \"- unable to connect to LDAP server: %s:%d\", conf.ldapServer, conf.ldapPort); 

	main.c: logging( DEBUG, \"- connected to ldapServer %s:%d\", conf.ldapServer, conf.ldapPort); 

	main.c: logging( RUN, \"%s - %s - stopping\", PROG, VERS ); 

	main.c: logging( DEBUG, \"- user string: |%s|\", buf); 

	main.c: logging( DEBUG, \"- got User: %s\", user ); 

	main.c: logging( DEBUG, \"- got Password: %s\", crypt (pass, \"42\") ); 

	options.c: logging(DEBUG,\"- ldapServer: %s \", conf->ldapServer ); 

	options.c: logging(DEBUG,\"- searchBase: %s \", conf->searchBase ); 

	options.c: logging(DEBUG,\"- pxyGroup: %s \", conf->pxyGroup ); 

	options.c: logging(DEBUG,\"- confFile: %s \", conf->confFile ); 

	

	

SOLUTION

	Upgrade your nss_ldap package.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH