OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: blackshellhushmail.com
Date: Mon May 06 2002 - 05:29:10 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - --- Blackshell Advisory # 5 ---

    Local Format String Vuln in pam_ldap and remote in squid_auth_ldap

    - --- Blackshell Advisory # 5 ---

    - --- Versions Affected ---

    pam_ldap:

    143 prior
    vendor status: nil

    squid_auth_ldap:

    2.0 prior
    vendor status: nil

    - --- What is PAM? ---

    PAM stands for pluggable authentication module
    it lets you authenticate from one service to another

    - --- What is Squid Auth Modules? ---

    Squid authentication modules aloow you to connect to
    external services through the squid caching server.
    adds ldap:// functionability to the squid server

    - --- Details ---

    - --- in pam_ldap ---

    fp = fopen (configFile, "r");

      if (fp == NULL)
        {
          /*
           * According to PAM Documentation, such an error in a config file
           * SHOULD be logged at LOG_ALERT level
           */
          snprintf (errmsg, sizeof (errmsg), "pam_ldap: missing file \"%s\"",
                    configFile);
          syslog (LOG_ALERT, errmsg);
          return PAM_SERVICE_ERR;
        }

    configfile is defined as:

          else if (!strncmp (argv[i], "config=", 7))
            configFile = argv[i] + 7;

    in the main function.

    - --- in squid_auth_ldap ---

    void logging( int ll, const char* fmt, ... )
    {
      char buffer[1024];
      va_list ap;
      va_start( ap, fmt );

      vsnprintf( buffer, 1024, fmt, ap );

      if( ll == DEBUG && _logLevel >= DEBUG )
            {
              syslog( LOG_INFO, buffer );
    /*#ifdef DEBUG
                    printf("DEBUG\n");
    #endif*/
            }
            else
            if( ll == WARN && _logLevel >= WARN )
            {
              syslog( LOG_INFO, buffer );
    /*#ifdef DEBUG
              printf("WARN\n");
    #endif*/
            }
            else
            if( ll == INFO && _logLevel >= INFO )
            {
              syslog( LOG_INFO, buffer );
    /*#ifdef DEBUG
              printf("INFO\n");
    #endif*/
            }
            else
            if( ll == RUN && _logLevel >= RUN )
            {
              syslog( LOG_INFO, buffer );
    /*#ifdef DEBUG
               printf("RUN\n");
    #endif*/
            }
    }

    vulnerable calls to the function logging() would include:

    ldap_utils.c: logging( INFO, "- password check for %s", dn );
    ldap_utils.c: logging( DEBUG, "- (%d) %s", i, val[i] );
    ldap_utils.c: logging( DEBUG, "- open connection to ldapserver: %s:%d", ldapServer, ldapPort);
    ldap_utils.c: logging( WARN, "- cannot login to: %s:%d", ldapServer, ldapPort);
    ldap_utils.c: logging( DEBUG, "- search for: %s", searchStr );
    ldap_utils.c: logging( DEBUG, "- entry found: %s", grpDN );
    ldap_utils.c: logging( DEBUG, "- searchstr: %s", searchStr );
    ldap_utils.c: logging( DEBUG, "- start searching for uid: %s", uid );
    ldap_utils.c: logging( WARN, "- user \"%s\", not found!\n", uid);
    ldap_utils.c: logging( DEBUG, "- DN found: %s", udn );
    ldap_utils.c: logging( DEBUG, "- is user %s in %s\n", dn, gdn );
    ldap_utils.c: logging( DEBUG, "- user \"%s\" is in Group \"%s\"", dn, gdn );
    ldap_utils.c: logging( DEBUG, "- user \"%s\" is NOT in Group \"%s\"", dn, gdn );
    main.c: logging( RUN, "%s - %s - starting", PROG, VERS );
    main.c: logging( RUN, "- find DN for group %s\n", conf.pxyGroup );
    main.c: logging( WARN, "- unable to find group: %s", conf.pxyGroup );
    main.c: logging( DEBUG, "- group DN: %s", dnGrp );
    main.c: logging( RUN, "%s - %s - ready", PROG, VERS );
    main.c: logging( RUN, "- unable to connect to LDAP server: %s:%d", conf.ldapServer, conf.ldapPort);
    main.c: logging( DEBUG, "- connected to ldapServer %s:%d", conf.ldapServer, conf.ldapPort);
    main.c: logging( RUN, "- unable to connect to LDAP server: %s:%d", conf.ldapServer, conf.ldapPort);
    main.c: logging( DEBUG, "- connected to ldapServer %s:%d", conf.ldapServer, conf.ldapPort);
    main.c: logging( RUN, "%s - %s - stopping", PROG, VERS );
    main.c: logging( DEBUG, "- user string: |%s|", buf);
    main.c: logging( DEBUG, "- got User: %s", user );
    main.c: logging( DEBUG, "- got Password: %s", crypt (pass, "42") );
    options.c: logging(DEBUG,"- ldapServer: %s ", conf->ldapServer );
    options.c: logging(DEBUG,"- searchBase: %s ", conf->searchBase );
    options.c: logging(DEBUG,"- pxyGroup: %s ", conf->pxyGroup );
    options.c: logging(DEBUG,"- confFile: %s ", conf->confFile );

    - --- hellos ---

    contributors to blackshell

    Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
    HushMail Secure Email http://www.hushmail.com/
    HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
    Hush Business - security for your Business http://www.hush.com/
    Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/

    Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.1
    Note: This signature can be verified at https://www.hushtools.com

    wl8EARECAB8FAjzWXnMYHGJsYWNrc2hlbGxAaHVzaG1haWwuY29tAAoJED2VGGGCU8ut
    zqEAn1GVVb5ZLMIvFp5QvUnhdfb5l1l6AJ9/l3vm0oFZ9Ku4zi6i30c3du3R5w==
    =BIvQ
    -----END PGP SIGNATURE-----