Project

General

Profile

Bug #1668

ldap format string issues when merging search descriptors

Added by Rich Lowe almost 8 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Immediate
Assignee:
Category:
lib - userland libraries
Start date:
2011-10-19
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:

Description

A CVE, 2011-3508 "Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express allows remote attackers to affect confidentiality, integrity, and availability, related to LDAP library."

Described as a format string issue here: https://twitter.com/#!/moritzj/status/126617242057179136

Is also described, in the same place, as remotely exploitable, pre-auth.

History

#1

Updated by Dan McDonald almost 8 years ago

  • Assignee set to Dan McDonald
  • % Done changed from 0 to 80

Found one source file with a buggy function (ldap SSD merge) and it turns out to be implemented poorly (assuming sanitized user input) and in FOUR DIFFERENT PLACES.

Fix is now in-hand.

#2

Updated by Rich Lowe over 7 years ago

  • Category set to lib - userland libraries

The terminology wrapped around SSD in this case is pretty hairy (at least to me, who knew nothing about it).

You require not only a custom Service Search Descriptor, but for that custom SSD to have a conditional applied to it, that is:

NS_LDAP_SERVICE_SEARCH_DESC= passwd:dc=richlowe,dc=net?sub?objectClass=account

(Yes, this condition is always-true, that was necessary to not brick auth on the system under test, but it sufficies).
The impression I have is that the use of such a condition is pretty rare.

#3

Updated by Rich Lowe over 7 years ago

  • Subject changed from CVE 2011-3508 (ldap format string issues) to ldap format string issues when merging search descriptors
#4

Updated by Rich Lowe over 7 years ago

  • Status changed from New to Resolved
  • % Done changed from 80 to 100
  • Tags deleted (needs-triage)

Resolved in r13575 commit:36d25dce128e

Also available in: Atom PDF