Here is a quick reproducer.
sudo apt update
sudo apt install slapd ldap-utils -y
Reconfigure the slapd package. When asked about a domain, use
"example.com". Choose a password, and accept defaults for everything
else:
sudo dpkg-reconfigure slapd
Create a file called add-rwm.ldif with these contents:
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"
Then run:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif
And then, to trigger the crash:
ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
slapd will die, and /var/crash will have a crash file for slapd.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1838370
Title:
slapd segfault on filter parse error
Status in openldap:
Fix Released
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Xenial:
Confirmed
Status in openldap source package in Bionic:
Confirmed
Status in openldap source package in Disco:
Confirmed
Bug description:
Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
00007fc8d18ec512 sp 00007fc8889e2810 error 4 in libc-2.23.so
[7fc8d1868000+1c0000]
Another faulty filter example:
filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
$ lsb_release -rd
Description: Ubuntu 16.04.5 LTS
Release: 16.04
$ slapd -VVV
@(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $
buildd@lcy01-amd64-019
:/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd
Included static backends:
config
ldif
$ apt-cache policy slapd
slapd:
Installed: 2.4.42+dfsg-2ubuntu3.3
Candidate: 2.4.42+dfsg-2ubuntu3.5
Version table:
2.4.42+dfsg-2ubuntu3.5 500
500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
*** 2.4.42+dfsg-2ubuntu3.3 100
100 /var/lib/dpkg/status
2.4.42+dfsg-2ubuntu3.2 500
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64
Packages
2.4.42+dfsg-2ubuntu3 500
500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
affects ubuntu/openldap
To manage notifications about this bug go to:
https://bugs.launchpad.net/openldap/+bug/1838370/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
