|
COMMAND pam_ldap format string vulnerability SYSTEMS AFFECTED nss_ldap packages prior to nss_ldap-189-1.6.2 PROBLEM In Blackshell Advisory # 5 a Local Format String Vulnerability has been found in pam_ldap : fp = fopen (configFile, "r"); if (fp == NULL) { /* * According to PAM Documentation, such an error in a config file * SHOULD be logged at LOG_ALERT level */ snprintf (errmsg, sizeof (errmsg), "pam_ldap: missing file \"%s\"", configFile); syslog (LOG_ALERT, errmsg); return PAM_SERVICE_ERR; } configfile is defined as: else if (!strncmp (argv[i], "config=", 7)) configFile = argv[i] + 7; in the main function. vulnerable calls to the function logging() would include: ldap_utils.c: logging( INFO, "- password check for %s", dn ); ldap_utils.c: logging( DEBUG, "- (%d) %s", i, val[i] ); ldap_utils.c: logging( DEBUG, "- open connection to ldapserver: %s:%d", ldapServer, ldapPort); ldap_utils.c: logging( WARN, "- cannot login to: %s:%d", ldapServer, ldapPort); ldap_utils.c: logging( DEBUG, "- search for: %s", searchStr ); ldap_utils.c: logging( DEBUG, "- entry found: %s", grpDN ); ldap_utils.c: logging( DEBUG, "- searchstr: %s", searchStr ); ldap_utils.c: logging( DEBUG, "- start searching for uid: %s", uid ); ldap_utils.c: logging( WARN, "- user \"%s\", not found!\n", uid); ldap_utils.c: logging( DEBUG, "- DN found: %s", udn ); ldap_utils.c: logging( DEBUG, "- is user %s in %s\n", dn, gdn ); ldap_utils.c: logging( DEBUG, "- user \"%s\" is in Group \"%s\"", dn, gdn ); ldap_utils.c: logging( DEBUG, "- user \"%s\" is NOT in Group \"%s\"", dn, gdn ); main.c: logging( RUN, "%s - %s - starting", PROG, VERS ); main.c: logging( RUN, "- find DN for group %s\n", conf.pxyGroup ); main.c: logging( WARN, "- unable to find group: %s", conf.pxyGroup ); main.c: logging( DEBUG, "- group DN: %s", dnGrp ); main.c: logging( RUN, "%s - %s - ready", PROG, VERS ); main.c: logging( RUN, "- unable to connect to LDAP server: %s:%d", conf.ldapServer, conf.ldapPort); main.c: logging( DEBUG, "- connected to ldapServer %s:%d", conf.ldapServer, conf.ldapPort); main.c: logging( RUN, "- unable to connect to LDAP server: %s:%d", conf.ldapServer, conf.ldapPort); main.c: logging( DEBUG, "- connected to ldapServer %s:%d", conf.ldapServer, conf.ldapPort); main.c: logging( RUN, "%s - %s - stopping", PROG, VERS ); main.c: logging( DEBUG, "- user string: |%s|", buf); main.c: logging( DEBUG, "- got User: %s", user ); main.c: logging( DEBUG, "- got Password: %s", crypt (pass, "42") ); options.c: logging(DEBUG,"- ldapServer: %s ", conf->ldapServer ); options.c: logging(DEBUG,"- searchBase: %s ", conf->searchBase ); options.c: logging(DEBUG,"- pxyGroup: %s ", conf->pxyGroup ); options.c: logging(DEBUG,"- confFile: %s ", conf->confFile ); SOLUTION Upgrade your nss_lda