Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   auth_ldap Vendors:   Carrigan, Dave
auth_ldap Format String Bug Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015456
SecurityTracker URL:
CVE Reference:   CVE-2006-0150   (Links to External Site)
Updated:  Jan 10 2006
Original Entry Date:  Jan 10 2006
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 1.2.x through 1.6.0
Description:   A vulnerability was reported in auth_ldap for Apache. A remote user can execute arbitrary code on the target system.

The auth_ldap_log_reason() function contains a format string flaw. A remote user can supply a specially crafted username during authentication to execute arbitrary code on the target system.

The vendor was notified on December 22, 2005.

Seregorn discovered this vulnerability.

The original advisory is available at:

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   No solution was available at the time of this entry. The vendor is working on a fix.
Vendor URL: (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 11 2006 (Red Hat Issues Fix) auth_ldap Format String Bug Lets Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 2.1.

 Source Message Contents

Subject:  Digital Armaments Security Advisory 01.09.2006: Apache auth_ldap

Digital Armaments advisory is 12.22.2005

I. Background

auth_ldap is an LDAP authentication module for Apache, the world's most popular web server. auth_ldap has excellent performance, and
 supports Apache on both Unix and Windows NT. It also has support for LDAP over SSL, and a mode that lets Microsoft Frontpage clients
 manage their web permissions while still using LDAP for authentication. 
For many information or detail about the software you can refer to the vendor's homepage:

II. Problem Description

Due to an insecure usage of the function apache logging function (ap_log_rerror) in auth_ldap_log_reason function it's possible to
 run abitrary code on the server running the module. For example this can generate a custom format string that can be supplied by
 the attacker throught the username given during the apache authentication process but several parts of the module are affected. 

III. Detection

This problem has been detected on latest version of auth_ldap 1.6.0 and on prior version from 1.2.x. It persist on all platforms where
 auth_ldap can be compiled.

IV. Impact analisys

Successful exploitation allow an attacker to gain access to the system. Exploit code is required.

V. Solution

First notification 12.22.2005.
Second notification 01.09.2006.
The vendor answered second notification.
A new patched version will be available.

VI. Credit

Seregorn - is credited with this discovery.

Get paid and get stocks by vulnerabiliy submission 

VII. Legal Notices

Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint the whole is allowed, partial
 reprint is not permitted. For any other request please email for permission. Disclaimer: The
 information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of
 the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither
 the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of,
 or reliance on, this information.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC