PADL Software Pty Ltd

PADL Software Pty Ltd


About PADL


Commercial Software

Contacting PADL


Open Source Software



Research and Development

Technical Support


Local Format String Vulnerability in pam_ldap

A local format string vulnerability has been found in pam_ldap. The vulnerability was reported in Blackshell Advistory #5, and was introduced in pam_ldap-80 along with support for runtime selectable LDAP configuration files (a third party contribution). It cannot be exploited remotely. Versions prior to pam_ldap-80 and subsequent to pam_ldap-143 are not vulnerable. Contrary to reports, the nss_ldap module is not affected by this bug (confusingly, pam_ldap is sometimes distributed by vendors in the same package as nss_ldap).

To exploit this vulnerability, one would have to embed a format string in the PAM configuration stanza for pam_ldap (either in /etc/pam.conf or a file within /etc/pam.d). These configuration files should never be writable by a non-privileged user, so it is highly unlikely that such an exploit could be used to elevate privilege in a typical installation. (Were the PAM configuration writable by a non-privileged user, an arbitrary module could be inserted in the PAM stack, presenting a much simpler means of elevating privilege.)

More information on vulnerabilities and exposures in PADL open source software is available here. This vulnerability has been assigned CVE number CAN-2002-0374.


This vulnerability was corrected in pam_ldap-144; see bug #90. The current version of pam_ldap is available by FTP, or HTTP.

RedHat users should see advisory RHSA-2002-084.

Alternatively, you may apply the following patch:

Index: pam_ldap.c
RCS file: /home/project/cvs/pam_ldap/pam_ldap.c,v
retrieving revision 1.144
retrieving revision 1.146
diff -u -r1.144 -r1.146
--- pam_ldap.c  2002/04/15 11:08:40     1.144
+++ pam_ldap.c  2002/05/07 03:31:15     1.146
@@ -714,7 +714,6 @@
   char *defaultBase, *passwdBase, *defaultFilter, *passwdFilter;
   int defaultScope, passwdScope;
   pam_ldap_config_t *result;
-  char errmsg[MAXPATHLEN + 25];

   if (_alloc_config (presult) != PAM_SUCCESS)
@@ -744,9 +743,7 @@
        * According to PAM Documentation, such an error in a config file
        * SHOULD be logged at LOG_ALERT level
-      snprintf (errmsg, sizeof (errmsg), "pam_ldap: missing file \"%s\"",
-               configFile);
-      syslog (LOG_ALERT, errmsg);
+      syslog (LOG_ALERT, "pam_ldap: missing file \"%s\"", configFile);
       return PAM_SERVICE_ERR;

Home | Bugzilla

Copyright 1999-2014 PADL Software Pty Ltd ABN 16 085 895 585. All rights reserved.
PADL is a registered trademark of PADL Software Pty Ltd.