openldap: denial of service

ID ASA-201509-4
Type archlinux
Reporter Arch Linux
Modified 2015-09-12T00:00:00


By sending a crafted packet, an attacker can cause the OpenLDAP daemon to crash with a SIGABRT. This is due to an assert() call within the ber_get_next method (io.c line 682) that is hit when decoding tampered BER data. The following proof of concept exploit can be used to trigger the condition:

echo "/4SEhISEd4MKYj5ZMgAAAC8=" | base64 -d | nc -v 389

The above causes slapd to abort as follows when running with '-d3', however it should be noted that this will crash the server even when running in daemon mode.