Hello! We have faced slapd crash, seems an attacker was trying to brute force one of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH base="ou=test,dc=test,dc=com" scope=2 deref=0 filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))" Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadow Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublic Key Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text=massaged filter parse error Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip 00007fc8d18ec512 sp 00007fc8889e2810 error 4 in libc-2.23.so [7fc8d1868000+1c0000]
Another faulty filter example: filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
$ lsb_release -rd Description: Ubuntu 16.04.5 LTS Release: 16.04
$ slapd -VVV @(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@lcy01-amd64-019 :/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd
Included static backends: config ldif
$ apt-cache policy slapd slapd: Installed: 2.4.42+dfsg-2ubuntu3.3 Candidate: 2.4.42+dfsg-2ubuntu3.5 Version table: 2.4.42+dfsg-2ubuntu3.5 500 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages *** 2.4.42+dfsg-2ubuntu3.3 100 100 /var/lib/dpkg/status 2.4.42+dfsg-2ubuntu3.2 500 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 2.4.42+dfsg-2ubuntu3 500 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
affects ubuntu/openldap
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH test,dc= test,dc= com" scope=2 deref=0 "(&(uid= aistar123< >!n)(objectClas s=posixAccount) (uid=*) (&(uidNumber= *)(!(uidNumber= 0))))" ration pwdAttribute authorizedService accountExpires 1c0000]
base="ou=
filter=
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpi
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
00007fc8d18ec512 sp 00007fc8889e2810 error 4 in libc-2.23.so
[7fc8d1868000+
Another faulty filter example: "(&(uid= sql<>?) (objectClass= posixAccount) (&(uidNumber= *)(!(uidNumber= 0))))" "(&(uid= fugeone< >?123)( objectClass= posixAccount) (uid=*) (&(uidNumber= *)(!(uidNumber= 0))))"
filter=
filter=
$ lsb_release -rd
Description: Ubuntu 16.04.5 LTS
Release: 16.04
$ slapd -VVV lcy01-amd64- 019 openldap- t_Ta0O/ openldap- 2.4.42+ dfsg/debian/ build/servers/ slapd
@(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $
buildd@
:/build/
Included static backends:
config
ldif
$ apt-cache policy slapd dfsg-2ubuntu3. 3 dfsg-2ubuntu3. 5 4.42+dfsg- 2ubuntu3. 5 500 nl.archive. ubuntu. com/ubuntu xenial-updates/main amd64 dfsg-2ubuntu3. 3 100 dpkg/status 4.42+dfsg- 2ubuntu3. 2 500 security. ubuntu. com/ubuntu xenial- security/ main amd64 4.42+dfsg- 2ubuntu3 500 nl.archive. ubuntu. com/ubuntu xenial/main amd64 Packages
slapd:
Installed: 2.4.42+
Candidate: 2.4.42+
Version table:
2.
500 http://
Packages
*** 2.4.42+
100 /var/lib/
2.
500 http://
Packages
2.
500 http://
affects ubuntu/openldap