Vigil@nce - OpenLDAP: use after free via Matched Values
February 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can force the usage of a freed memory area in Matched
Values of OpenLDAP, in order to trigger a denial of service, and
possibly to execute code.
Impacted products: OpenLDAP
Severity: 2/4
Creation date: 06/02/2015
DESCRIPTION OF THE VULNERABILITY
The OpenLDAP directory supports Matched Values queries using a
filter. For example: ldapsearch -E ’mv=(sn=*)’.
However, when the filter is invalid, the get_vrFilter() function
of the servers/slapd/filter.c file frees a memory area before
reusing it.
An attacker can therefore force the usage of a freed memory area
in Matched Values of OpenLDAP, in order to trigger a denial of
service, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenLDAP-use-after-free-via-Matched-Values-16125