------=_Part_2868_7949219.1164737844232 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline
Entirely possible (conflicting libdb versions). However, this crash is 100% reproduceable on my system using the Nessus test specifically for the bug at issue here. Nessus script ID is 20939, entitled "OpenLDAP SASL Bind Denial of Service Vulnerability".
I actually was going to try to reproduce the problem with a perl script but it seemed more time than it was worth since I had a reliable failure case with the NASL script.
I've searched to see if there appears to be a libdb conflict of some sort, and can't find anything, but that may just mean I haven't looked hard enough!
I spent some more time poring of the code last night, and nothing jumped out at me. However, as a further data point, I played with the NASL script some to send different data, and I can ONLY get the server to crash if I send spaces. Specifically, the relevant (and hopefully self-documenting) line of NASL script is as follows:
mkbyte(4) + mkbyte(0x82) + mkword(0x0400) + crap(data:" ", length:1024);
If 'data:" "' is changed to be 'data:"A"', for example, the server does not crash, and the message in the debug output is what I expect (snipped for brevity).
Last line of hex dump follows: 0400: 41 41 41 41 AAAA ber_scanf fmt (}}) ber: ber_dump: buf=0x09ec9330 ptr=0x09ec974f end=0x09ec974f len=0
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_sasl_bind: dn () mech CRAM-MD5 ==> sasl_bind: dn="" mech=<continuing> datalen=1024 SASL [conn=3] Failure: need authentication name send_ldap_result: conn=3 op=1 p=3 send_ldap_result: err=80 matched="" text="SASL(-5): bad protocol / cancel: need authentication name" send_ldap_response: msgid=509 tag=97 err=80 ber_flush: 72 bytes to sd 13
Does this help?
Brian
On 11/27/06, Howard Chu hyc@symas.com wrote:
Kurt D. Zeilenga wrote:
At 08:06 PM 11/27/2006, hyc@symas.com wrote:
Kurt@OpenLDAP.org wrote:
At 07:51 PM 11/27/2006, Kurt D. Zeilenga wrote:
Spoke too soon. You code appears to be sending the same requests as Nessus, at least as described here: http://www.nessus.org/plugins/index.php?view=viewsrc&id=23625
Suspect a mismatch between what you and Brian are testing...
Howard, is the normalized authcDN in your testing correct?
It has a single escaped space.
And that's correct (I was wrong before). A directory string of N spaces normalizes to a single space, which must be escaped in the DN.
So it does seem like you and Brian are simply not running the same code.
The only difference between my current RE23 tree and 2.3.30 is in syncprov.c which is obviously not involved here. I would guess Brian's issue may be libsasl2 related, and no longer something resident in the OpenLDAP code. (E.g., conflicting libdb versions.)
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
------=_Part_2868_7949219.1164737844232 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline
Entirely possible (conflicting libdb versions). However, this crash is 100% reproduceable on my system using the Nessus test specifically for the bug at issue here. Nessus script ID is 20939, entitled "OpenLDAP SASL Bind Denial of Service Vulnerability". <br><br>I actually was going to try to reproduce the problem with a perl script but it seemed more time than it was worth since I had a reliable failure case with the NASL script. <br><br>I've searched to see if there appears to be a libdb conflict of some sort, and can't find anything, but that may just mean I haven't looked hard enough! <br><br>I spent some more time poring of the code last night, and nothing jumped out at me. However, as a further data point, I played with the NASL script some to send different data, and I can ONLY get the server to crash if I send spaces. Specifically, the relevant (and hopefully self-documenting) line of NASL script is as follows: <br><br>mkbyte(4) + mkbyte(0x82) + mkword(0x0400) + crap(data:" ", length:1024);<br><br>If 'data:" "' is changed to be 'data:"A"', for example, the server does not crash, and the message in the debug output is what I expect (snipped for brevity). <br><br>Last line of hex dump follows:<br> 0400: 41 41 41 41 AAAA<br>ber_scanf fmt (}}) ber:<br>ber_dump: buf=0x09ec9330 ptr=0x09ec974f end=0x09ec974f len=0<br><br>>>> dnPrettyNormal: <> <br><<< dnPrettyNormal: <>, <><br>do_sasl_bind: dn () mech CRAM-MD5<br>==> sasl_bind: dn="" mech=<continuing> datalen=1024<br>SASL [conn=3] Failure: need authentication name<br>send_ldap_result: conn=3 op=1 p=3 <br>send_ldap_result: err=80 matched="" text="SASL(-5): bad protocol / cancel: need authentication name"<br>send_ldap_response: msgid=509 tag=97 err=80<br>ber_flush: 72 bytes to sd 13<br><br>Does this help? <br><br>Brian<br><br><div><span class="gmail_quote">On 11/27/06, <b class="gmail_sendername">Howard Chu</b> <<a href="mailto:hyc@symas.com">hyc@symas.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Kurt D. Zeilenga wrote:<br>> At 08:06 PM 11/27/2006, <a href="mailto:hyc@symas.com">hyc@symas.com</a> wrote:<br>>> <a href="mailto:Kurt@OpenLDAP.org">Kurt@OpenLDAP.org</a> wrote:<br>>>> At 07:51 PM 11/27/2006, Kurt D. Zeilenga wrote: <br>>>>> Spoke too soon.<br>>>>> You code appears to be sending the same requests as<br>>>>> Nessus, at least as described here:<br>>>>> <a href="http://www.nessus.org/plugins/index.php?view=viewsrc&id=23625"> http://www.nessus.org/plugins/index.php?view=viewsrc&id=23625</a><br>>>>><br>>>>> Suspect a mismatch between what you and Brian are<br>>>>> testing...<br>>>> Howard, is the normalized authcDN in your testing correct? <br>>> It has a single escaped space.<br>><br>> And that's correct (I was wrong before). A directory string of<br>> N spaces normalizes to a single space, which must be escaped in<br>> the DN.<br>><br> > So it does seem like you and Brian are simply not running the<br>> same code.<br><br>The only difference between my current RE23 tree and 2.3.30 is in<br>syncprov.c which is obviously not involved here. I would guess Brian's <br>issue may be libsasl2 related, and no longer something resident in the<br>OpenLDAP code. (E.g., conflicting libdb versions.)<br><br>--<br> -- Howard Chu<br> Chief Architect, Symas Corp. <a href="http://www.symas.com"> http://www.symas.com</a><br> Director, Highland Sun <a href="http://highlandsun.com/hyc">http://highlandsun.com/hyc</a><br> OpenLDAP Core Team <a href="http://www.openldap.org/project/">http://www.openldap.org/project/ </a><br></blockquote></div><br>
------=_Part_2868_7949219.1164737844232--