Vigil@nce - OpenLDAP: use after free via rwm overlay
February 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can perform a query followed by an unbind, to use a
freed memory area in the rwm overlay feature of OpenLDAP, in order
to trigger a denial of service, and possibly to execute code.
Impacted products: Fedora, MBS, MES, OpenLDAP, RHEL
Severity: 2/4
Creation date: 04/02/2014
DESCRIPTION OF THE VULNERABILITY
The rwm (rewrite/remap) overlay of OpenLDAP provides a virtual
view on data.
Functions of the libraries/librewrite/session.c file count the
number of users of a rwm session. However, this counter is not
updated during a query.
An attacker can therefore perform a query followed by an unbind,
to use a freed memory area in the rwm overlay feature of OpenLDAP,
in order to trigger a denial of service, and possibly to execute
code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenLDAP-use-after-free-via-rwm-overlay-14171