Bug#753904: nslcd: Strange output looks like buffer overlow/security problem

Peter Mairhofer Sat, 05 Jul 2014 15:46:16 -0700

Package: nslcd
Version: 0.8.10-4
Severity: normal

Dear Maintainer,


Irregularly, I find very strange, non-normal and possibly security-problem
indicating messages in my syslog, e.g.:

slcd[3338]: [16ec34] <passwd="pam_unix(sshd:auth"> request denied by
validnames option
nslcd[3338]: [a6d780] <passwd="logname="> request denied by validnames
option
nslcd[3338]: [23c1fd] <passwd="uid=0"> request denied by validnames option
nslcd[3338]: [b6ce55] <passwd="euid=0"> request denied by validnames option
nslcd[3338]: [518b0f] <passwd="tty=ssh"> request denied by validnames option
nslcd[3338]: [54c795] <passwd="ruser="> request denied by validnames option
nslcd[3338]: [187e03] <passwd="rhost=mobile-164-131-173-245.my> request
denied by validnames option
nslcd[3338]: [880589] <passwd=""> request denied by validnames option
nslcd[3338]: [85b3f6] <passwd="user=peter"> request denied by validnames
option
nslcd[3338]: [2f27fb] <passwd="pam_unix(sshd:session"> request denied by
validnames option
nslcd[3338]: [f70f47] <passwd="pam_unix(sshd:session"> request denied by
validnames option
nslcd[3338]: [9a73bd] <passwd="pam_unix(cron:session"> request denied by
validnames option
nslcd[3338]: [3275b4] <passwd="uid=0"> request denied by validnames option
nslcd[3338]: [ce22dc] <passwd="pam_unix(cron:session"> request denied by
validnames option
nslcd[3338]: [972ed8] <passwd="uid=0"> request denied by validnames option
nslcd[3338]: [b91075] <passwd="pam_unix(sshd:session"> request denied by
validnames option
nslcd[3338]: [f4fb45] <passwd="pam_unix(cron:session"> request denied by
validnames option
nslcd[3338]: [b0c3e5] <passwd="uid=0"> request denied by validnames option

nslcd[26547]: [180b0b] <passwd="peter"> ldap_search_ext() failed: Can't
contact LDAP server: Broken pipe
nslcd[26547]: [180b0b] <passwd="peter"> no available LDAP server found,
sleeping 1 seconds

nslcd[26547]: [3dd3e8] <passwd="mark"> ldap_result() failed: Can't
contact LDAP server
nslcd[26547]: [3dd3e8] <passwd="mark"> ldap_abandon() failed to abandon
search: Can't contact LDAP server: Transport endpoint is not connected
nslcd[26547]: [c91298] <service="smtp"/tcp> ldap_result() failed: Can't
contact LDAP server

nslcd[26547]: [584bcb] <group/member="mark"> ldap_search_ext() failed:
Can't contact LDAP server: Broken pipe
nslcd[26547]: [584bcb] <group/member="mark"> no available LDAP server
found, sleeping 1 seconds

or:

Apr 24 05:42:55 server nslcd[26547]: [d3947c]
<passwd="91.23.101.171#011peter#011access> request denied by validnames
option
Apr 24 05:42:55 server nslcd[26547]: [106a57] <passwd="("> request
denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [5ee5d3] <passwd=""> request denied
by validnames option
Apr 24 05:42:55 server nslcd[26547]: [f4bdad] <passwd="["> request
denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [1f9786] <passwd="-x"> request
denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [71ac80] <passwd="]"> request
denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [58bd17] <passwd="&&"> request
denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [0bb885] <passwd="-d"> request
denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [a52566] <passwd="-depth"> request
denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [677b7c] <passwd="-mindepth">
request denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [91467c] <passwd="-maxdepth">
request denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [344c22] <passwd="-type"> request
denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [1745e4] <passwd="f"> request
denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [aadfda]
<passwd="-ignore_readdir_race"> request denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [179c0b] <passwd="-cmin"> request
denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [5641af]
<passwd="+$(/usr/lib/php5/maxlifetime"> request denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [b24dbc] <passwd="!"> request
denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [ce66b4] <passwd="-execdir">
request denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [ac7dff] <passwd="-s"> request
denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [380727] <passwd="}"> request
denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [294393] <passwd="2>/dev/null">
request denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [5eb207] <passwd="\"> request
denied by validnames option
Apr 24 05:42:55 server nslcd[26547]: [5b12b8] <passwd="-delete"> request
denied by validnames option

I emphasize that the problem is NOT that the LDAP can't be reached, as
you can see the complete environment is listed at places where it
definitely should not be!

I searched the internet, asked in newsgroup but no solution.

I think it could be related to a possibly non-standard PAM configuration,
therefore I also post my common-auth:

auth    sufficient      pam_unix.so nullok_secure
auth    sufficient      pam_ldap.so use_first_pass
auth    requisite       pam_pwdfile.so pwdfile /etc/passwd.opie
auth    sufficient      pam_opie.so
auth    required        pam_deny.so

Interestingly the problems seem to be gone if I remove pam_opie and revert
to the standard config.

However, it is not pam_opie: When I try pam_otpw instead, the same issue
appears.

To conclude, I think the issue appears when you use nscld, pam_ldap AND an
additonal module (such as pam_opie or pam_otpw) together.


To me this looks like a big security threat so I feel not comfortable
seeing these messages from time to time.

Thanks!
Peter


-- System Information:
Debian Release: 7.5
Architecture: i386 (i686)

Kernel: Linux 2.6.32-openvz-042stab090.5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages nslcd depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  libc6                  2.13-38+deb7u1
ii  libgssapi-krb5-2       1.10.1+dfsg-5+deb7u1
ii  libldap-2.4-2          2.4.31-1+nmu2

Versions of packages nslcd recommends:
ii  bind9-host [host]           1:9.8.4.dfsg.P1-6+nmu2+deb7u1
ii  ldap-utils                  2.4.31-1+nmu2
ii  libnss-ldapd [libnss-ldap]  0.8.10-4
ii  libpam-ldapd [libpam-ldap]  0.8.10-4
pn  nscd                        <none>

Versions of packages nslcd suggests:
pn  kstart  <none>

-- debconf information:
  nslcd/ldap-sasl-realm:
  nslcd/ldap-starttls: true
  nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt
  nslcd/ldap-auth-type: simple
* nslcd/ldap-reqcert: never
* nslcd/ldap-uris: ldap://192.168.0.230/
  nslcd/ldap-sasl-secprops:
  nslcd/ldap-binddn: uid=reader,dc=internal
  nslcd/ldap-sasl-authcid:
  nslcd/ldap-sasl-mech:
* nslcd/ldap-base: dc=internal
  nslcd/ldap-sasl-authzid:

Bug#753904: nslcd: Strange output looks like buffer overlow/security problem

Reply via email to