auth_ldap Format String Bug Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1015456|
SecurityTracker URL: http://securitytracker.com/id/1015456
(Links to External Site)
Updated: Jan 10 2006|
Original Entry Date: Jan 10 2006
Execution of arbitrary code via network, User access via network|
Version(s): 1.2.x through 1.6.0|
A vulnerability was reported in auth_ldap for Apache. A remote user can execute arbitrary code on the target system.|
The auth_ldap_log_reason() function contains a format string flaw. A remote user can supply a specially crafted username during authentication to execute arbitrary code on the target system.
The vendor was notified on December 22, 2005.
Seregorn discovered this vulnerability.
The original advisory is available at:
A remote user can execute arbitrary code on the target system.|
No solution was available at the time of this entry. The vendor is working on a fix.|
Vendor URL: www.rudedog.org/auth_ldap/ (Links to External Site)
Input validation error, State error|
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: Digital Armaments Security Advisory 01.09.2006: Apache auth_ldap|
Digital Armaments advisory is 12.22.2005
auth_ldap is an LDAP authentication module for Apache, the world's most popular web server. auth_ldap has excellent performance, and
supports Apache on both Unix and Windows NT. It also has support for LDAP over SSL, and a mode that lets Microsoft Frontpage clients
manage their web permissions while still using LDAP for authentication.
For many information or detail about the software you can refer to the vendor's homepage:
II. Problem Description
Due to an insecure usage of the function apache logging function (ap_log_rerror) in auth_ldap_log_reason function it's possible to
run abitrary code on the server running the module. For example this can generate a custom format string that can be supplied by
the attacker throught the username given during the apache authentication process but several parts of the module are affected.
This problem has been detected on latest version of auth_ldap 1.6.0 and on prior version from 1.2.x. It persist on all platforms where
auth_ldap can be compiled.
IV. Impact analisys
Successful exploitation allow an attacker to gain access to the system. Exploit code is required.
First notification 12.22.2005.
Second notification 01.09.2006.
The vendor answered second notification.
A new patched version will be available.
Seregorn - email@example.com is credited with this discovery.
Get paid and get stocks by vulnerabiliy submission
VII. Legal Notices
Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint the whole is allowed, partial
reprint is not permitted. For any other request please email firstname.lastname@example.org for permission. Disclaimer: The
information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither
the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of,
or reliance on, this information.