ldap format string issues when merging search descriptors
A CVE, 2011-3508 "Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express allows remote attackers to affect confidentiality, integrity, and availability, related to LDAP library."
Described as a format string issue here: https://twitter.com/#!/moritzj/status/126617242057179136
Is also described, in the same place, as remotely exploitable, pre-auth.
Updated by Dan McDonald almost 10 years ago
- Assignee set to Dan McDonald
- % Done changed from 0 to 80
Found one source file with a buggy function (ldap SSD merge) and it turns out to be implemented poorly (assuming sanitized user input) and in FOUR DIFFERENT PLACES.
Fix is now in-hand.
Updated by Rich Lowe over 9 years ago
- Category set to lib - userland libraries
The terminology wrapped around SSD in this case is pretty hairy (at least to me, who knew nothing about it).
You require not only a custom Service Search Descriptor, but for that custom SSD to have a conditional applied to it, that is:
(Yes, this condition is always-true, that was necessary to not brick auth on the system under test, but it sufficies).
The impression I have is that the use of such a condition is pretty rare.