10:17 a.m.
------=_Part_2868_7949219.1164737844232
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Entirely possible (conflicting libdb versions). However, this crash is 100%
reproduceable on my system using the Nessus test specifically for the bug at
issue here. Nessus script ID is 20939, entitled "OpenLDAP SASL Bind Denial
of Service Vulnerability".
I actually was going to try to reproduce the problem with a perl script but
it seemed more time than it was worth since I had a reliable failure case
with the NASL script.
I've searched to see if there appears to be a libdb conflict of some sort,
and can't find anything, but that may just mean I haven't looked hard
enough!
I spent some more time poring of the code last night, and nothing jumped out
at me. However, as a further data point, I played with the NASL script some
to send different data, and I can ONLY get the server to crash if I send
spaces. Specifically, the relevant (and hopefully self-documenting) line of
NASL script is as follows:
mkbyte(4) + mkbyte(0x82) + mkword(0x0400) + crap(data:" ", length:1024);
If 'data:" "' is changed to be 'data:"A"', for
example, the server does not
crash, and the message in the debug output is what I expect (snipped for
brevity).
Last line of hex dump follows:
0400: 41 41 41 41 AAAA
ber_scanf fmt (}}) ber:
ber_dump: buf=0x09ec9330 ptr=0x09ec974f end=0x09ec974f len=0
>> dnPrettyNormal: <>
<<< dnPrettyNormal:
<>, <>
do_sasl_bind: dn () mech CRAM-MD5
==> sasl_bind: dn="" mech=<continuing> datalen=1024
SASL [conn=3] Failure: need authentication name
send_ldap_result: conn=3 op=1 p=3
send_ldap_result: err=80 matched="" text="SASL(-5): bad protocol / cancel:
need authentication name"
send_ldap_response: msgid=509 tag=97 err=80
ber_flush: 72 bytes to sd 13
Does this help?
Brian
On 11/27/06, Howard Chu <hyc(a)symas.com> wrote:
Kurt D. Zeilenga wrote:
> At 08:06 PM 11/27/2006, hyc(a)symas.com wrote:
>> Kurt(a)OpenLDAP.org wrote:
>>> At 07:51 PM 11/27/2006, Kurt D. Zeilenga wrote:
>>>> Spoke too soon.
>>>> You code appears to be sending the same requests as
>>>> Nessus, at least as described here:
>>>> http://www.nessus.org/plugins/index.php?view=viewsrc&id=23625
>>>>
>>>> Suspect a mismatch between what you and Brian are
>>>> testing...
>>> Howard, is the normalized authcDN in your testing correct?
>> It has a single escaped space.
>
> And that's correct (I was wrong before). A directory string of
> N spaces normalizes to a single space, which must be escaped in
> the DN.
>
> So it does seem like you and Brian are simply not running the
> same code.
The only difference between my current RE23 tree and 2.3.30 is in
syncprov.c which is obviously not involved here. I would guess Brian's
issue may be libsasl2 related, and no longer something resident in the
OpenLDAP code. (E.g., conflicting libdb versions.)
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
------=_Part_2868_7949219.1164737844232
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Entirely possible (conflicting libdb versions). However, this crash is 100% reproduceable
on my system using the Nessus test specifically for the bug at issue here. Nessus script
ID is 20939, entitled "OpenLDAP SASL Bind Denial of Service
Vulnerability".
<br><br>I actually was going to try to reproduce the problem with a perl
script but it seemed more time than it was worth since I had a reliable failure case with
the NASL script. <br><br>I've searched to see if there appears to be a
libdb conflict of some sort, and can't find anything, but that may just mean I
haven't looked hard enough!
<br><br>I spent some more time poring of the code last night, and nothing
jumped out at me. However, as a further data point, I played with the NASL script some to
send different data, and I can ONLY get the server to crash if I send spaces.
Specifically, the relevant (and hopefully self-documenting) line of NASL script is as
follows:
<br><br>mkbyte(4) + mkbyte(0x82) + mkword(0x0400) + crap(data:"
", length:1024);<br><br>If 'data:" "' is
changed to be 'data:"A"', for example, the server does not
crash, and the message in the debug output is what I expect (snipped for brevity).
<br><br>Last line of hex dump follows:<br> 0400: 41
41 41
41
AAAA<br>ber_scanf fmt (}}) ber:<br>ber_dump: buf=0x09ec9330 ptr=0x09ec974f
end=0x09ec974f len=0<br><br>>>> dnPrettyNormal:
<>
<br><<< dnPrettyNormal: <>,
<><br>do_sasl_bind: dn () mech CRAM-MD5<br>==> sasl_bind:
dn="" mech=<continuing> datalen=1024<br>SASL
[conn=3] Failure: need authentication name<br>send_ldap_result: conn=3 op=1 p=3
<br>send_ldap_result: err=80 matched="" text="SASL(-5):
bad protocol / cancel: need authentication name"<br>send_ldap_response:
msgid=509 tag=97 err=80<br>ber_flush: 72 bytes to sd 13<br><br>Does this
help?
<br><br>Brian<br><br><div><span
class="gmail_quote">On 11/27/06, <b
class="gmail_sendername">Howard Chu</b> <<a
href="mailto:hyc@symas.com">hyc@symas.com</a>>
wrote:</span><blockquote class="gmail_quote" style="border-left:
1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Kurt D. Zeilenga wrote:<br>> At 08:06 PM 11/27/2006, <a
href="mailto:hyc@symas.com">hyc@symas.com</a>
wrote:<br>>> <a
href="mailto:Kurt@OpenLDAP.org">Kurt@OpenLDAP.org</a>
wrote:<br>>>> At 07:51 PM 11/27/2006, Kurt D. Zeilenga wrote:
<br>>>>> Spoke too
soon.<br>>>>> You code appears to be sending the same
requests as<br>>>>> Nessus, at least as described
here:<br>>>>> <a
href="http://www.nessus.org/plugins/index.php?view=viewsrc&i...
http://www.nessus.org/plugins/index.php?view=viewsrc&id=23625<...
Suspect a mismatch between what you and Brian
are<br>>>>> testing...<br>>>>
Howard, is the normalized authcDN in your testing correct?
<br>>> It has a single escaped
space.<br>><br>> And that's correct (I was wrong
before). A directory string of<br>> N spaces normalizes to
a single space, which must be escaped in<br>> the
DN.<br>><br>
> So it does seem like you and Brian are simply not running the<br>>
same code.<br><br>The only difference between my current RE23 tree and 2.3.30
is in<br>syncprov.c which is obviously not involved here. I would guess Brian's
<br>issue may be libsasl2 related, and no longer something resident in
the<br>OpenLDAP code. (E.g., conflicting libdb
versions.)<br><br>--<br> -- Howard
Chu<br> Chief Architect, Symas Corp. <a
href="http://www.symas.com">
http://www.symas.com</a><br> Director, Highland
Sun <a
href="http://highlandsun.com/hyc">http://highlandsun.com/hyc...;
OpenLDAP Core
Team <a
href="http://www.openldap.org/project/">http://www.openldap....
</a><br></blockquote></div><br>
------=_Part_2868_7949219.1164737844232--
6153
days inactive
6153
days old
0 comments
1 participants
participants (1)
-
bthomas@google.com