c7dc9357ac
Resolves: RHEL-44324 - unauthenticated user can trigger a DoS by sending a specific extended search request Resolves: RHEL-40946 - Malformed userPassword hash may cause Denial of Service Resolves: RHEL-33087 - dsconf schema does not show inChain matching rule Resolves: RHEL-28177 - Malformed userPassword may cause crash at do_modify in slapd/modify.c Resolves: RHEL-25070 - nsslapd-haproxy-trusted-ip is not in schema
109 lines
4.4 KiB
Diff
109 lines
4.4 KiB
Diff
From 23956cfb86a312318667fb9376322574fa8ec7f4 Mon Sep 17 00:00:00 2001
|
|
From: James Chapman <jachapma@redhat.com>
|
|
Date: Wed, 1 May 2024 15:01:33 +0100
|
|
Subject: [PATCH] CVE-2024-2199
|
|
|
|
---
|
|
.../tests/suites/password/password_test.py | 56 +++++++++++++++++++
|
|
ldap/servers/slapd/modify.c | 8 ++-
|
|
2 files changed, 62 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/dirsrvtests/tests/suites/password/password_test.py b/dirsrvtests/tests/suites/password/password_test.py
|
|
index 1245feb31..e4abd9907 100644
|
|
--- a/dirsrvtests/tests/suites/password/password_test.py
|
|
+++ b/dirsrvtests/tests/suites/password/password_test.py
|
|
@@ -63,6 +63,62 @@ def test_password_delete_specific_password(topology_st):
|
|
log.info('test_password_delete_specific_password: PASSED')
|
|
|
|
|
|
+def test_password_modify_non_utf8(topology_st):
|
|
+ """Attempt a modify of the userPassword attribute with
|
|
+ an invalid non utf8 value
|
|
+
|
|
+ :id: a31af9d5-d665-42b9-8d6e-fea3d0837d36
|
|
+ :setup: Standalone instance
|
|
+ :steps:
|
|
+ 1. Add a user if it doesnt exist and set its password
|
|
+ 2. Verify password with a bind
|
|
+ 3. Modify userPassword attr with invalid value
|
|
+ 4. Attempt a bind with invalid password value
|
|
+ 5. Verify original password with a bind
|
|
+ :expectedresults:
|
|
+ 1. The user with userPassword should be added successfully
|
|
+ 2. Operation should be successful
|
|
+ 3. Server returns ldap.UNWILLING_TO_PERFORM
|
|
+ 4. Server returns ldap.INVALID_CREDENTIALS
|
|
+ 5. Operation should be successful
|
|
+ """
|
|
+
|
|
+ log.info('Running test_password_modify_non_utf8...')
|
|
+
|
|
+ # Create user and set password
|
|
+ standalone = topology_st.standalone
|
|
+ users = UserAccounts(standalone, DEFAULT_SUFFIX)
|
|
+ if not users.exists(TEST_USER_PROPERTIES['uid'][0]):
|
|
+ user = users.create(properties=TEST_USER_PROPERTIES)
|
|
+ else:
|
|
+ user = users.get(TEST_USER_PROPERTIES['uid'][0])
|
|
+ user.set('userpassword', PASSWORD)
|
|
+
|
|
+ # Verify password
|
|
+ try:
|
|
+ user.bind(PASSWORD)
|
|
+ except ldap.LDAPError as e:
|
|
+ log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc'])
|
|
+ assert False
|
|
+
|
|
+ # Modify userPassword with an invalid value
|
|
+ password = b'tes\x82t-password' # A non UTF-8 encoded password
|
|
+ with pytest.raises(ldap.UNWILLING_TO_PERFORM):
|
|
+ user.replace('userpassword', password)
|
|
+
|
|
+ # Verify a bind fails with invalid pasword
|
|
+ with pytest.raises(ldap.INVALID_CREDENTIALS):
|
|
+ user.bind(password)
|
|
+
|
|
+ # Verify we can still bind with original password
|
|
+ try:
|
|
+ user.bind(PASSWORD)
|
|
+ except ldap.LDAPError as e:
|
|
+ log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc'])
|
|
+ assert False
|
|
+
|
|
+ log.info('test_password_modify_non_utf8: PASSED')
|
|
+
|
|
if __name__ == '__main__':
|
|
# Run isolated
|
|
# -s for DEBUG mode
|
|
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
|
|
index a20984e0b..fb65d58b3 100644
|
|
--- a/ldap/servers/slapd/modify.c
|
|
+++ b/ldap/servers/slapd/modify.c
|
|
@@ -762,8 +762,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
|
|
* flagged - leave mod attributes alone */
|
|
if (!repl_op && !skip_modified_attrs && lastmod) {
|
|
modify_update_last_modified_attr(pb, &smods);
|
|
+ slapi_pblock_set(pb, SLAPI_MODIFY_MODS, slapi_mods_get_ldapmods_byref(&smods));
|
|
}
|
|
|
|
+
|
|
if (0 == slapi_mods_get_num_mods(&smods)) {
|
|
/* nothing to do - no mods - this is not an error - just
|
|
send back LDAP_SUCCESS */
|
|
@@ -930,8 +932,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
|
|
|
|
/* encode password */
|
|
if (pw_encodevals_ext(pb, sdn, va)) {
|
|
- slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s.\n", slapi_entry_get_dn_const(e));
|
|
- send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to store attribute \"userPassword\" correctly\n", 0, NULL);
|
|
+ slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s, "
|
|
+ "check value is utf8 string.\n", slapi_entry_get_dn_const(e));
|
|
+ send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to hash \"userPassword\" attribute, "
|
|
+ "check value is utf8 string.\n", 0, NULL);
|
|
valuearray_free(&va);
|
|
goto free_and_return;
|
|
}
|
|
--
|
|
2.41.0
|
|
|