[15427] in bugtraq
easy DoS of LDAP services in case of naive programming
daemon@ATHENA.MIT.EDU (bert hubert)
Thu Jun 22 19:16:41 2000
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000621234347.A30946@home.ds9a.nl>
Date: Wed, 21 Jun 2000 23:43:47 +0200
Reply-To: bert hubert <ahu@DS9A.NL>
From: bert hubert <ahu@DS9A.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0006211351280.23780-100000@nimue.tpi.pl>; from
lcamtuf@TPI.PL on Wed, Jun 21, 2000 at 02:13:33PM +0200
On Wed, Jun 21, 2000 at 02:13:33PM +0200, Michal Zalewski wrote:
> - this ftp server supports LDAP users; different LDAP
> accounts are served on single physical UID. It means,
> any user can access and eventually overwrite files
On a side note, I know people who have been bitten by users trying to log in
with account '*'. With LDAP, each query is by default subject to (not quite
regular) expression expansion.
So a user who enters a '*' as a username forces your LDAP server to look
through all possible users - an operation that may well take seconds to
complete, or even longer if your server is big, as often happens with LDAP
directories. An easy DoS attack.
There is an even sicker possibility when you copy code verbatim from the
(fine) examples found in the OpenLDAP or Michigan distribution. A search for
user '*' will return lots of entries - if you did not take the trouble to
take out the 'while' loop from the example, you may end up trying a lot of
users for a matching password.
And some of your users *will* have default or easy to guess passwords -
allowing easy entry to your systems by trying to log in as user '*' with
a common password.
In short, take care to properly escape what your users enter, and as a
further precaution, protect yourself against multiple returns from a search
for a single user.
Regards,
bert hubert
--
| http://www.rent-a-nerd.nl
| - U N I X -
| Inspice et cautus eris - D11T'95
