Vigil@nce : nss-ldapd: obtaining the password
March 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can read the configuration file of nss-ldapd in
order to obtain the password used to connect to the LDAP server.
Gravity: 1/4
Consequences: privileged access/rights
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 25/03/2009
IMPACTED PRODUCTS
– Debian Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The nss-ldapd module is used to query a LDAP server to resolve
user names, group names and host names via NSS (Name Service
Switch).
The bindpw directive of the /etc/nss-ldapd.conf configuration file
indicates the required password to authenticate on the LDAP
directory.
However, the /etc/nss-ldapd file is world readable. All user can
therefore obtain the password if it is set in the configuration
file.
A local attacker can therefore read the configuration file of
nss-ldapd in order to obtain the password used to connect to the
LDAP server.
CHARACTERISTICS
Identifiers: 520476, VIGILANCE-VUL-8559
http://vigilance.fr/vulnerability/nss-ldapd-obtaining-the-password-8559