auth_ldap Format String Bug Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1015456
|
|
SecurityTracker URL: http://securitytracker.com/id?1015456
|
|
CVE Reference: CVE-2006-0150
(Links to External Site)
|
Updated: Jan 10 2006
|
Original Entry Date: Jan 10 2006
|
Impact: Execution of arbitrary code via network, User access via network
|
Version(s): 1.2.x through 1.6.0
|
Description: A vulnerability was reported in auth_ldap for Apache. A remote user can execute arbitrary code on the target system.
The auth_ldap_log_reason() function contains a format string flaw. A remote user can supply a specially crafted username during
authentication to execute arbitrary code on the target system.
The vendor was notified on December 22, 2005.
Seregorn discovered
this vulnerability.
The original advisory is available at:
http://www.digitalarmaments.com/2006090173928420.html
|
Impact: A remote user can execute arbitrary code on the target system.
|
Solution: No solution was available at the time of this entry. The vendor is working on a fix.
|
Vendor URL: www.rudedog.org/auth_ldap/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: info@digitalarmaments.com
|
Message History:
None.
|
Source Message Contents
|
Date: 9 Jan 2006 18:36:32 -0000
From: info@digitalarmaments.com
Subject: Digital Armaments Security Advisory 01.09.2006: Apache auth_ldap
|
Digital Armaments advisory is 12.22.2005
http://www.digitalarmaments.com/2006090173928420.html
I. Background
auth_ldap is an LDAP authentication module for Apache, the world's most popular web server. auth_ldap
has excellent performance, and
supports Apache on both Unix and Windows NT. It also has support for LDAP over SSL, and a mode that
lets Microsoft Frontpage clients
manage their web permissions while still using LDAP for authentication.
For many information or detail about the software you can refer to the vendor's homepage:
http://www.rudedog.org/auth_ldap/
II. Problem Description
Due to an insecure usage of the function apache logging function (ap_log_rerror) in auth_ldap_log_rea
son function it's possible to
run abitrary code on the server running the module. For example this can generate a custom format st
ring that can be supplied by
the attacker throught the username given during the apache authentication process but several parts
of the module are affected.
III. Detection
This problem has been detected on latest version of auth_ldap 1.6.0 and on prior version from 1.2.x.
It persist on all platforms where
auth_ldap can be compiled.
IV. Impact analisys
Successful exploitation allow an attacker to gain access to the system. Exploit code is required.
V. Solution
First notification 12.22.2005.
Second notification 01.09.2006.
The vendor answered second notification.
A new patched version will be available.
VI. Credit
Seregorn - seregon@bughunter.net is credited with this discovery.
Get paid and get stocks by vulnerabiliy submission
http://www.digitalarmaments.com/contribute.html
VII. Legal Notices
Copyright © 2005 Digital Armaments LLC.
Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint t
he whole is allowed, partial
reprint is not permitted. For any other request please email customerservice@digitalarmaments.com fo
r permission. Disclaimer: The
information in the advisory is believed to be accurate at the time of publishing based on currently
available information. Use of
the information constitutes acceptance for use in an AS IS condition. There are no warranties with r
egard to this information. Neither
the author nor the publisher accepts any liability for any direct, indirect, or consequential loss o
r damage arising from use of,
or reliance on, this information.
|
|
