#1696 sssd: potential LDAP filter injection issues

Created 4 years ago by jhrozek
Modified a month ago

https://bugzilla.redhat.com/show_bug.cgi?id=883947 (Fedora)

I went through the sssd 1.9.2 source code and identified potential LDAP filter
injection issues:

src/providers/ldap/ldap_auth.c: get_user_dn() username
src/providers/ldap/sdap_sudo.c: sdap_sudo_build_host_filter() hostnames,
ip_addr
src/providers/ldap/sdap_async_groups.c: sdap_process_missing_member_2307()
member_name
src/providers/ldap/ldap_id_cleanup.c: cleanup_groups() dn
src/providers/ldap/ldap_id_cleanup.c: netgr_translate_members_send()
dn_item->dn
src/providers/ipa/ipa_hosts.c: ipa_host_info_send() hostname
src/tools/sss_cache.c: init_context() user, group, netgroup, map
src/tools/sss_groupshow.c: group_show_trim_memberof() memberofs, dn
src/db/sysdb_ssh.c: sysdb_get_ssh_host() name
src/db/sysdb_ops.c: sysdb_add_user() name, alias_el->values[i].data
src/db/sysdb_ops.c: sysdb_delete_user() name
src/db/sysdb_sudo.c: sysdb_get_sudo_filter() username, groupnames

(Format is file name, function name, variable name)

The situation is a bit like SQL injection, except that LDAP filters should not
be as powerful as SQL statements, so this is probably just a correctness issue
and not a security problem (unless it allows altering the results of queries in
interesting ways).  An interface which separates query parameters from the
query structure would be desirable as a replacement for all this string
concatenation.

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
milestone: NEEDS_TRIAGE => SSSD 1.10 beta
testsupdated: => 0

Fields changed

selected: => Not need

Moving tickets that are not a priority for SSSD 1.10 into the next release.

milestone: SSSD 1.10 beta => SSSD 1.11 beta

Fields changed

mark: => 0

Fields changed

changelog: =>
milestone: SSSD 1.13 beta => SSSD 1.13 backlog
priority: major => minor
review: => 1

Mass-moving tickets not planned for the next two releases.

Please reply with a comment if you disagree about the move..

milestone: SSSD 1.13 backlog => SSSD 1.15 beta

Suggest to defer.

selected: Not need => May
sensitive: => 0

Fields changed

milestone: SSSD Future releases (no date set yet) => SSSD Patches welcome

a month ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD Patches welcome

Login to comment on this ticket.

defect

SSSD

0

May

0

https://bugzilla.redhat.com/show_bug.cgi?id=883947

0

1

0

0

cancel