PADL Software Pty Ltd

PADL Software Pty Ltd

 

About PADL

Articles

Commercial Software

Contacting PADL

Documentation

Open Source Software

Partners

Purchasing

Research and Development

Technical Support


 

Local Format String Vulnerability in pam_ldap

A local format string vulnerability has been found in pam_ldap. The vulnerability was reported in Blackshell Advistory #5, and was introduced in pam_ldap-80 along with support for runtime selectable LDAP configuration files (a third party contribution). It cannot be exploited remotely. Versions prior to pam_ldap-80 and subsequent to pam_ldap-143 are not vulnerable. Contrary to reports, the nss_ldap module is not affected by this bug (confusingly, pam_ldap is sometimes distributed by vendors in the same package as nss_ldap).

To exploit this vulnerability, one would have to embed a format string in the PAM configuration stanza for pam_ldap (either in /etc/pam.conf or a file within /etc/pam.d). These configuration files should never be writable by a non-privileged user, so it is highly unlikely that such an exploit could be used to elevate privilege in a typical installation. (Were the PAM configuration writable by a non-privileged user, an arbitrary module could be inserted in the PAM stack, presenting a much simpler means of elevating privilege.)

More information on vulnerabilities and exposures in PADL open source software is available here. This vulnerability has been assigned CVE number CAN-2002-0374.

Patches

This vulnerability was corrected in pam_ldap-144; see bug #90. The current version of pam_ldap is available by FTP, or HTTP.

RedHat users should see advisory RHSA-2002-084.

Alternatively, you may apply the following patch:

Index: pam_ldap.c
===================================================================
RCS file: /home/project/cvs/pam_ldap/pam_ldap.c,v
retrieving revision 1.144
retrieving revision 1.146
diff -u -r1.144 -r1.146
--- pam_ldap.c  2002/04/15 11:08:40     1.144
+++ pam_ldap.c  2002/05/07 03:31:15     1.146
@@ -714,7 +714,6 @@
   char *defaultBase, *passwdBase, *defaultFilter, *passwdFilter;
   int defaultScope, passwdScope;
   pam_ldap_config_t *result;
-  char errmsg[MAXPATHLEN + 25];

   if (_alloc_config (presult) != PAM_SUCCESS)
     {
@@ -744,9 +743,7 @@
        * According to PAM Documentation, such an error in a config file
        * SHOULD be logged at LOG_ALERT level
        */
-      snprintf (errmsg, sizeof (errmsg), "pam_ldap: missing file \"%s\"",
-               configFile);
-      syslog (LOG_ALERT, errmsg);
+      syslog (LOG_ALERT, "pam_ldap: missing file \"%s\"", configFile);
       return PAM_SERVICE_ERR;
     }


Home | Bugzilla

Copyright 1999-2014 PADL Software Pty Ltd ABN 16 085 895 585. All rights reserved.
PADL is a registered trademark of PADL Software Pty Ltd.