From blackshell@hushmail.com Mon May 6 15:50:23 2002 From: blackshell@hushmail.com To: bugtraq@securityfocus.com, vuln-dev@securityfocus.com, vulnwatch@vulnwatch.org Date: Mon, 6 May 2002 03:29:42 -0700 Subject: ldap vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --- Blackshell Advisory # 5 --- Local Format String Vuln in pam_ldap and remote in squid_auth_ldap - --- Blackshell Advisory # 5 --- - --- Versions Affected --- pam_ldap: 143 prior vendor status: nil squid_auth_ldap: 2.0 prior vendor status: nil - --- What is PAM? --- PAM stands for pluggable authentication module it lets you authenticate from one service to another - --- What is Squid Auth Modules? --- Squid authentication modules aloow you to connect to external services through the squid caching server. adds ldap:// functionability to the squid server - --- Details --- - --- in pam_ldap --- fp = fopen (configFile, "r"); if (fp == NULL) { /* * According to PAM Documentation, such an error in a config file * SHOULD be logged at LOG_ALERT level */ snprintf (errmsg, sizeof (errmsg), "pam_ldap: missing file \"%s\"", configFile); syslog (LOG_ALERT, errmsg); return PAM_SERVICE_ERR; } configfile is defined as: else if (!strncmp (argv[i], "config=", 7)) configFile = argv[i] + 7; in the main function. - --- in squid_auth_ldap --- void logging( int ll, const char* fmt, ... ) { char buffer[1024]; va_list ap; va_start( ap, fmt ); vsnprintf( buffer, 1024, fmt, ap ); if( ll == DEBUG && _logLevel >= DEBUG ) { syslog( LOG_INFO, buffer ); /*#ifdef DEBUG printf("DEBUG\n"); #endif*/ } else if( ll == WARN && _logLevel >= WARN ) { syslog( LOG_INFO, buffer ); /*#ifdef DEBUG printf("WARN\n"); #endif*/ } else if( ll == INFO && _logLevel >= INFO ) { syslog( LOG_INFO, buffer ); /*#ifdef DEBUG printf("INFO\n"); #endif*/ } else if( ll == RUN && _logLevel >= RUN ) { syslog( LOG_INFO, buffer ); /*#ifdef DEBUG printf("RUN\n"); #endif*/ } } vulnerable calls to the function logging() would include: ldap_utils.c: logging( INFO, "- password check for %s", dn ); ldap_utils.c: logging( DEBUG, "- (%d) %s", i, val[i] ); ldap_utils.c: logging( DEBUG, "- open connection to ldapserver: %s:%d", ldapServer, ldapPort); ldap_utils.c: logging( WARN, "- cannot login to: %s:%d", ldapServer, ldapPort); ldap_utils.c: logging( DEBUG, "- search for: %s", searchStr ); ldap_utils.c: logging( DEBUG, "- entry found: %s", grpDN ); ldap_utils.c: logging( DEBUG, "- searchstr: %s", searchStr ); ldap_utils.c: logging( DEBUG, "- start searching for uid: %s", uid ); ldap_utils.c: logging( WARN, "- user \"%s\", not found!\n", uid); ldap_utils.c: logging( DEBUG, "- DN found: %s", udn ); ldap_utils.c: logging( DEBUG, "- is user %s in %s\n", dn, gdn ); ldap_utils.c: logging( DEBUG, "- user \"%s\" is in Group \"%s\"", dn, gdn ); ldap_utils.c: logging( DEBUG, "- user \"%s\" is NOT in Group \"%s\"", dn, gdn ); main.c: logging( RUN, "%s - %s - starting", PROG, VERS ); main.c: logging( RUN, "- find DN for group %s\n", conf.pxyGroup ); main.c: logging( WARN, "- unable to find group: %s", conf.pxyGroup ); main.c: logging( DEBUG, "- group DN: %s", dnGrp ); main.c: logging( RUN, "%s - %s - ready", PROG, VERS ); main.c: logging( RUN, "- unable to connect to LDAP server: %s:%d", conf.ldapServer, conf.ldapPort); main.c: logging( DEBUG, "- connected to ldapServer %s:%d", conf.ldapServer, conf.ldapPort); main.c: logging( RUN, "- unable to connect to LDAP server: %s:%d", conf.ldapServer, conf.ldapPort); main.c: logging( DEBUG, "- connected to ldapServer %s:%d", conf.ldapServer, conf.ldapPort); main.c: logging( RUN, "%s - %s - stopping", PROG, VERS ); main.c: logging( DEBUG, "- user string: |%s|", buf); main.c: logging( DEBUG, "- got User: %s", user ); main.c: logging( DEBUG, "- got Password: %s", crypt (pass, "42") ); options.c: logging(DEBUG,"- ldapServer: %s ", conf->ldapServer ); options.c: logging(DEBUG,"- searchBase: %s ", conf->searchBase ); options.c: logging(DEBUG,"- pxyGroup: %s ", conf->pxyGroup ); options.c: logging(DEBUG,"- confFile: %s ", conf->confFile ); - --- hellos --- contributors to blackshell Hush provide the worlds most secure, easy to use online applications - which solution is right for you? HushMail Secure Email http://www.hushmail.com/ HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ Hush Business - security for your Business http://www.hush.com/ Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wl8EARECAB8FAjzWXpMYHGJsYWNrc2hlbGxAaHVzaG1haWwuY29tAAoJED2VGGGCU8ut VJ8An1vCesmFEIEbBJ+O5Yt1cxahmjUAAJ9bBOYREsMHke8IBmutnguhbHU3XA== =v4NU -----END PGP SIGNATURE-----