ldap vulnerabilities

From: blackshellat_private
Date: Mon May 06 2002 - 03:29:42 PDT

Next message: Emerson: "Packetstorm archive warning: 73501867, PHP exploit binary code found to be virus distribution vector for Linux.Jac.8759."

Previous message: SpaceWalker: "Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploitit by remote?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --- Blackshell Advisory # 5 ---

Local Format String Vuln in pam_ldap and remote in squid_auth_ldap

- --- Blackshell Advisory # 5 ---

- --- Versions Affected ---

pam_ldap:

143 prior
vendor status: nil

squid_auth_ldap:

2.0 prior
vendor status: nil

- --- What is PAM? ---

PAM stands for pluggable authentication module
it lets you authenticate from one service to another

- --- What is Squid Auth Modules? ---

Squid authentication modules aloow you to connect to
external services through the squid caching server.
adds ldap:// functionability to the squid server

- --- Details ---

- --- in pam_ldap ---

fp = fopen (configFile, "r");

  if (fp == NULL)
    {
      /*
       * According to PAM Documentation, such an error in a config file
       * SHOULD be logged at LOG_ALERT level
       */
      snprintf (errmsg, sizeof (errmsg), "pam_ldap: missing file \"%s\"",
		configFile);
      syslog (LOG_ALERT, errmsg);
      return PAM_SERVICE_ERR;
    }

configfile is defined as:

      else if (!strncmp (argv[i], "config=", 7))
	configFile = argv[i] + 7;

in the main function.


- --- in squid_auth_ldap ---


void logging( int ll, const char* fmt, ... )
{
  char buffer[1024];
  va_list ap;
  va_start( ap, fmt );

  vsnprintf( buffer, 1024, fmt, ap );

  if( ll == DEBUG && _logLevel >= DEBUG )
	{
	  syslog( LOG_INFO, buffer );
/*#ifdef DEBUG
		printf("DEBUG\n");
#endif*/
	}
	else
	if( ll == WARN && _logLevel >= WARN )
	{
	  syslog( LOG_INFO, buffer );
/*#ifdef DEBUG
	  printf("WARN\n");
#endif*/
	}
	else
	if( ll == INFO && _logLevel >= INFO )
	{
	  syslog( LOG_INFO, buffer );
/*#ifdef DEBUG
	  printf("INFO\n");
#endif*/
	}
	else
	if( ll == RUN && _logLevel >= RUN )
	{
	  syslog( LOG_INFO, buffer );
/*#ifdef DEBUG
 	  printf("RUN\n");
#endif*/
	}
}

vulnerable calls to the function logging() would include:

ldap_utils.c:  logging( INFO, "- password check for %s", dn );
ldap_utils.c:      logging( DEBUG, "- (%d) %s", i, val[i] );
ldap_utils.c:  logging( DEBUG, "- open connection to ldapserver: %s:%d", ldapServer, ldapPort);
ldap_utils.c:    logging( WARN, "- cannot login to: %s:%d", ldapServer, ldapPort);
ldap_utils.c:  logging( DEBUG, "- search for: %s", searchStr );
ldap_utils.c:    logging( DEBUG, "- entry found: %s", grpDN );
ldap_utils.c:  logging( DEBUG, "- searchstr: %s", searchStr );
ldap_utils.c:  logging( DEBUG, "- start searching for uid: %s", uid );
ldap_utils.c:    logging( WARN, "- user \"%s\", not found!\n", uid);
ldap_utils.c:      logging( DEBUG, "- DN found: %s", udn );
ldap_utils.c:  logging( DEBUG, "- is user %s in %s\n", dn, gdn );
ldap_utils.c:    logging( DEBUG, "- user \"%s\" is in Group \"%s\"", dn, gdn );
ldap_utils.c:  logging( DEBUG, "- user \"%s\" is NOT in Group \"%s\"", dn, gdn );
main.c:  logging( RUN, "%s - %s - starting", PROG, VERS );
main.c:    logging( RUN, "- find DN for group %s\n", conf.pxyGroup );
main.c:      logging( WARN, "- unable to find group: %s", conf.pxyGroup );
main.c:    logging( DEBUG, "- group DN: %s", dnGrp );
main.c:  logging( RUN, "%s - %s - ready", PROG, VERS );
main.c:    logging( RUN, "- unable to connect to LDAP server: %s:%d", conf.ldapServer, conf.ldapPort);
main.c:  logging( DEBUG, "- connected to ldapServer %s:%d", conf.ldapServer, conf.ldapPort);
main.c:      logging( RUN, "- unable to connect to LDAP server: %s:%d", conf.ldapServer, conf.ldapPort);
main.c:    logging( DEBUG, "- connected to ldapServer %s:%d", conf.ldapServer, conf.ldapPort);
main.c:  logging( RUN, "%s - %s - stopping", PROG, VERS );
main.c:  logging( DEBUG, "- user string: |%s|", buf);
main.c:  logging( DEBUG, "- got User: %s", user );
main.c:  logging( DEBUG, "- got Password: %s", crypt (pass, "42") );
options.c:                logging(DEBUG,"- ldapServer: %s ", conf->ldapServer );
options.c:                logging(DEBUG,"- searchBase: %s ", conf->searchBase );
options.c:                logging(DEBUG,"- pxyGroup: %s ", conf->pxyGroup );
options.c:                logging(DEBUG,"- confFile: %s ", conf->confFile );


- --- hellos ---

contributors to blackshell

Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wl8EARECAB8FAjzWXpMYHGJsYWNrc2hlbGxAaHVzaG1haWwuY29tAAoJED2VGGGCU8ut
VJ8An1vCesmFEIEbBJ+O5Yt1cxahmjUAAJ9bBOYREsMHke8IBmutnguhbHU3XA==
=v4NU
-----END PGP SIGNATURE-----

Next message: Emerson: "Packetstorm archive warning: 73501867, PHP exploit binary code found to be virus distribution vector for Linux.Jac.8759."
Previous message: SpaceWalker: "Re: Multiple Local Vulnerabilities in some FTP Client.Who can exploitit by remote?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 06 2002 - 12:22:06 PDT