Vigil@nce - Cyrus SASL: denial of service via crypt
July 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a malformed salt during the authentication to
Cyrus SASL, in order to stop the service.
Impacted products: Cyrus SASL
Severity: 2/4
Creation date: 15/07/2013
DESCRIPTION OF THE VULNERABILITY
The Cyrus SASL library (Simple Authentication and Security Layer)
adds new authentication methods to existing protocols.
The crypt() function of the glibc hashes a password, using a salt
(random). Since glibc version 2.17, the crypt() function returns a
NULL pointer if the salt is malformed. However, Cyrus SASL does
not handle this case, and dereferences a NULL pointer. The current
process is then stopped, and is not restarted.
An attacker can therefore use a malformed salt during the
authentication to Cyrus SASL, in order to stop the service (there
are 5 processes to kill).
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Cyrus-SASL-denial-of-service-via-crypt-13108