SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Directory)  >   OpenLDAP Vendors:   OpenLDAP.org
OpenLDAP Stand-alone LDAP Server (slapd) Bug Lets Valid Remote Users Delete Attributes Without Authorization
SecurityTracker Alert ID:  1003260
SecurityTracker URL:  http://securitytracker.com/id/1003260
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 16 2002
Impact:   Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0.20; possibly prior versions
Description:   A vulnerability was reported in OpenLDAP's standalone LDAP server. A remote user can delete attributes without authorization.

It is reported that the stand-alone LDAP server (slapd) version 2.0.x allows entities with access to the LDAP service to make an unauthorized replacement of the values of arbitrary attributes with an empty set of values, deleting the attribute completely.

A demonstration exploit transcript is provided in the Source Message.

Impact:   A remote user with access to the LDAP server can delete arbitrary attributes without authorization.
Solution:   The vendor has released a fixed version (2.0.21), available at:

http://www.openldap.org/software/download/

Vendor URL:  www.openldap.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Red Hat Issues Fix) Re: OpenLDAP Stand-alone LDAP Server (slapd) Bug Lets Valid Remote Users Delete Attributes Without Authorization   (bugzilla@redhat.com)
The vendor has released a fix.
(HP Issues Fix Notice for HP Secure OS for Linux) OpenLDAP Stand-alone LDAP Server (slapd) Bug Lets Valid Remote Users Delete Attributes Without Authorization   (support_feedback@us-support.external.hp.com (IT Resource Center ))
The vendor has released a fix notice for HP Secure OS for Linux.
(Conectiva Issues Fix) OpenLDAP Stand-alone LDAP Server (slapd) Bug Lets Valid Remote Users Delete Attributes Without Authorization   (secure@conectiva.com.br)
The vendor has released a fix.
(Caldera Issues Fix) OpenLDAP Stand-alone LDAP Server (slapd) Bug Lets Valid Remote Users Delete Attributes Without Authorization   (Support Info <supinfo@caldera.com>)
The vendor has released a fix.
(Mandrake Issues Fix) OpenLDAP Stand-alone LDAP Server (slapd) Bug Lets Valid Remote Users Delete Attributes Without Authorization   (Mandrake Linux Security Team <security@linux-mandrake.com>)
The vendor has released a fix.



 Source Message Contents

Date:  Wed, 16 Jan 2002 02:12:44 -0500
Subject:  OpenLDAP unauthorized modification bug


  OpenLDAP 2.0.21 (LDAPv3)
  by OpenLDAP Project (http://freshmeat.net/users/openldap/)
  Tuesday, January 15th 2002 16:50

Database Internet Software Development :: Libraries

About: The OpenLDAP Project is a collaborative effort to provide a
robust,
commercial-grade, fully featured, open source LDAP software suite. The
project is managed by a worldwide community of volunteers that use the
Internet to communicate, plan, and develop OpenLDAP Software and its
related documentation. OpenLDAP Software provides a complete LDAP
implementation including server, clients, C SDK, and associated tools.

Changes: A fix for a minor security issue and a number of non-security
related bugfixes. Users of previous OpenLDAP 2.0 versions, especially
versions prior 2.0.20 (which included a major security fix), should
upgrade
as soon as possible. 

License: OSI Approved

URL: http://freshmeat.net/projects/openldap/


------------------------------------------------
From the changelog:

OpenLDAP 2.0.21 Release
              Fix slapd empty string indexing/filtering handling
(ITS#1507)
              Changed slapd ACL selfwrite replace logic (ITS#1530)
              Build environment
                      Updated IPv6 configuration argument handling
                      Fix back-shell tools make depend bug (ITS#1518)
                      Removed extraneous files

------------------------------------------------
From the issue tracking system:

slapd 2.0.x, allows unauthorized entities to replace the values
of arbitrary attributes by an empty set of values, thus deleting
the attribute completely.
(This is true, if schema checking does not force the 
existence of the attribute)

To demonstrate the problem for an environment, where anonymous 
bind is not disabled, prepare a file 'rm-attr.ldif', with e.g.
the following contents:

   dn: uid=some-mail-user,ou=people,dc=foo,dc=bar
   replace: mail

Running

   ldapmodify -x -f rm-attr.ldif

(assuming that URI and BASE are set in ldap.conf)

will delete all mail adresses of 'some-mail-user'.

This works even if you lock down access to  

   access to * by * none

To reproduce the bug for authenticated bind, e.g. if you have
disabled acceptance of anonymous bind requests, you need at 
least

   access to attr=userPassword by anonymous auth

and run ldapmodify binding as any user.


This misbehaviour is due to the implementation of acls in 
servers/slapd/acl.c, where REPLACE requests are handled the same
way as ADD requests. REPLACE requests, however, delete all values 
of the attribute in a first step, and replace by 'nothing' in 
LDAP v3 means deleting the attribute itself. 
Hence, an entity requesting REPLACE should need permission for
the current values to be deleted, and, like ADD requests, 
permission to add its set of new values to the attribute.

[...]


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC