** Description changed:
+ Impact
+ ------
+
+ Users willing to use the slapd rwm overlay will face a slapd segmentation
fault
+ when trying to rewrite some rules. Backporting this fix will allow users using
+ stable releases to take advantage of this feature without crashing slapd. This
+ issue was fixed by upstream not freeing the rwm overlay filter memory without
+ prior checking.
+
+ Test Case
+ ---------
+
+ In this test case, the rwm overlay will be used and a rule will be created to
+ deny any search request for uid=root, then the 'ldapsearch' will be invoked to
+ trigger the failure. It is important to mention that the 'ldapsearch' command
+ should fail regardless the presence of the bug in the package, the target here
+ is the slapd crash. To reproduce this bug one can follow the procedure below
in
+ Ubuntu xenial, bionic or disco:
+
+ $ sudo apt-get update
+ $ sudo apt-get install slapd ldap-utils -y
+
+ Reconfigure the slapd package. When asked about a domain, use "example.com".
+ Choose a password you want (or just leave it blank), and accept defaults for
+ everything else:
+
+ $ sudo dpkg-reconfigure slapd
+
+ Create a file called 'add-rwm.ldif' with the following content:
+
+ $ cat add-rwm.ldif
+ dn: cn=module{0},cn=config
+ changetype: modify
+ add: olcModuleLoad
+ olcModuleLoad: rwm
+
+ dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
+ changetype: add
+ objectClass: olcOverlayConfig
+ objectClass: olcRwmConfig
+ olcOverlay: rwm
+ olcRwmRewrite: {0} rwm-rewriteEngine "on"
+ olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
+ olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
+
+
+ With this file in place, run:
+
+ $ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
+
+ Now, to trigger the crash:
+
+ $ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
+ Server is unwilling to perform (53)
+ Additional information: searchFilter/searchFilterAttrDN massage error
+
+
+ slapd process will die, and /var/crash will have a crash file for slapd. You
+ can run the following command to confirm the error:
+
+ $ cat /var/log/syslog | grep filter_free
+ Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
+
+
+ Regression Potential
+ --------------------
+
+ Since the fix is a patch provided by upstream (reviewed by maintainers and us)
+ simple mistakes like typos are not expected. The patch impacts only the rwm
+ module which is not loaded by default. So any regression would affect only the
+ users that make use of this overlay. If an user is not using rwm overlay and
is
+ facing any issue, it should be related to other problems related to LDAP
+ directory services.
+
+
+
+ [Original message]
+
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
00007fc8d18ec512 sp 00007fc8889e2810 error 4 in libc-2.23.so
[7fc8d1868000+1c0000]
Another faulty filter example:
filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
$ lsb_release -rd
Description: Ubuntu 16.04.5 LTS
Release: 16.04
$ slapd -VVV
@(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $
buildd@lcy01-amd64-019
:/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd
Included static backends:
- config
- ldif
+ config
+ ldif
$ apt-cache policy slapd
slapd:
- Installed: 2.4.42+dfsg-2ubuntu3.3
- Candidate: 2.4.42+dfsg-2ubuntu3.5
- Version table:
- 2.4.42+dfsg-2ubuntu3.5 500
- 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64
+ Installed: 2.4.42+dfsg-2ubuntu3.3
+ Candidate: 2.4.42+dfsg-2ubuntu3.5
+ Version table:
+ 2.4.42+dfsg-2ubuntu3.5 500
+ 500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
- *** 2.4.42+dfsg-2ubuntu3.3 100
- 100 /var/lib/dpkg/status
- 2.4.42+dfsg-2ubuntu3.2 500
- 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64
+ *** 2.4.42+dfsg-2ubuntu3.3 100
+ 100 /var/lib/dpkg/status
+ 2.4.42+dfsg-2ubuntu3.2 500
+ 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64
Packages
- 2.4.42+dfsg-2ubuntu3 500
- 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
+ 2.4.42+dfsg-2ubuntu3 500
+ 500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
- affects ubuntu/openldap
+ affects ubuntu/openldap
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Confirmed
Status in openldap source package in Bionic:
Confirmed
Status in openldap source package in Disco:
Confirmed
Bug description:
Impact
------
Users willing to use the slapd rwm overlay will face a slapd segmentation
fault
when trying to rewrite some rules. Backporting this fix will allow users using
stable releases to take advantage of this feature without crashing slapd. This
issue was fixed by upstream not freeing the rwm overlay filter memory without
prior checking.
Test Case
---------
In this test case, the rwm overlay will be used and a rule will be created to
deny any search request for uid=root, then the 'ldapsearch' will be invoked to
trigger the failure. It is important to mention that the 'ldapsearch' command
should fail regardless the presence of the bug in the package, the target here
is the slapd crash. To reproduce this bug one can follow the procedure below
in
Ubuntu xenial, bionic or disco:
$ sudo apt-get update
$ sudo apt-get install slapd ldap-utils -y
Reconfigure the slapd package. When asked about a domain, use "example.com".
Choose a password you want (or just leave it blank), and accept defaults for
everything else:
$ sudo dpkg-reconfigure slapd
Create a file called 'add-rwm.ldif' with the following content:
$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
With this file in place, run:
$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
Now, to trigger the crash:
$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
slapd process will die, and /var/crash will have a crash file for slapd. You
can run the following command to confirm the error:
$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter
type=28530
Regression Potential
--------------------
Since the fix is a patch provided by upstream (reviewed by maintainers and us)
simple mistakes like typos are not expected. The patch impacts only the rwm
module which is not loaded by default. So any regression would affect only the
users that make use of this overlay. If an user is not using rwm overlay and
is
facing any issue, it should be related to other problems related to LDAP
directory services.
[Original message]
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
00007fc8d18ec512 sp 00007fc8889e2810 error 4 in libc-2.23.so
[7fc8d1868000+1c0000]
Another faulty filter example:
filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
$ lsb_release -rd
Description: Ubuntu 16.04.5 LTS
Release: 16.04
$ slapd -VVV
@(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $
buildd@lcy01-amd64-019
:/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd
Included static backends:
config
ldif
$ apt-cache policy slapd
slapd:
Installed: 2.4.42+dfsg-2ubuntu3.3
Candidate: 2.4.42+dfsg-2ubuntu3.5
Version table:
2.4.42+dfsg-2ubuntu3.5 500
500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
*** 2.4.42+dfsg-2ubuntu3.3 100
100 /var/lib/dpkg/status
2.4.42+dfsg-2ubuntu3.2 500
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64
Packages
2.4.42+dfsg-2ubuntu3 500
500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
affects ubuntu/openldap
To manage notifications about this bug go to:
https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
