Bugtraq mailing list archives
easy DoS of LDAP services in case of naive programming
From: ahu () DS9A NL (bert hubert)
Date: Wed, 21 Jun 2000 23:43:47 +0200
On Wed, Jun 21, 2000 at 02:13:33PM +0200, Michal Zalewski wrote:
- this ftp server supports LDAP users; different LDAP accounts are served on single physical UID. It means, any user can access and eventually overwrite files
On a side note, I know people who have been bitten by users trying to log in with account '*'. With LDAP, each query is by default subject to (not quite regular) expression expansion. So a user who enters a '*' as a username forces your LDAP server to look through all possible users - an operation that may well take seconds to complete, or even longer if your server is big, as often happens with LDAP directories. An easy DoS attack. There is an even sicker possibility when you copy code verbatim from the (fine) examples found in the OpenLDAP or Michigan distribution. A search for user '*' will return lots of entries - if you did not take the trouble to take out the 'while' loop from the example, you may end up trying a lot of users for a matching password. And some of your users *will* have default or easy to guess passwords - allowing easy entry to your systems by trying to log in as user '*' with a common password. In short, take care to properly escape what your users enter, and as a further precaution, protect yourself against multiple returns from a search for a single user. Regards, bert hubert -- | http://www.rent-a-nerd.nl | - U N I X - | Inspice et cautus eris - D11T'95
Current thread:
- Netscape FTP Server - "Professional" as hell :> Michal Zalewski (Jun 21)
- easy DoS of LDAP services in case of naive programming bert hubert (Jun 21)
- WuFTPD: Providing *remote* root since at least1994 tf8 (Jun 22)
- <Possible follow-ups>
- Re: Netscape FTP Server - "Professional" as hell :> Luis Pinto (Jun 22)
- Re: Netscape FTP Server - "Professional" as hell :> Michal Zalewski (Jun 24)