ports/72867: [PATCH] unsecure smbldap-passwd from net/smbldap-tools when changin LDAP password

Pawel Wielebap wielebap at iem.pw.edu.pl
Tue Oct 19 10:30:21 UTC 2004 

>Number:         72867
>Category:       ports
>Synopsis:       [PATCH] unsecure smbldap-passwd from net/smbldap-tools when changin LDAP password
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 19 10:30:20 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Pawel Wielebap
>Release:        FreeBSD 6.0
>Organization:
>Environment:
FreeBSD volt.iem.pw.edu.pl 6.0-CURRENT FreeBSD 6.0-CURRENT #0:
>Description:
A problem and the solution is described in the article:
www.iem.pw.edu.pl/~wielebap/ldap/smbldap-tools/smbldap-tools_doc.pdf
I also enclosed there 2 specific script modifications which can do as main passwd programme, and can be run in setuid mode.

Description:
- Script smbldap-passwd cannot be run with perl -T (taint) option turned on.
- If slappasswd is not available userPassword field is still modified with the empty password!!! and samba password is still modified with the entered password.
- Script smbldap-passwd requires slappasswd to generate password and this is not configurable. Slappasswd is an external programme so it is rather not as secure as using perl libraries.

>How-To-Repeat:
Rename /usr/local/sbin/slappasswd and run smbldap-passwd. An empty password will be applied.

Use tainted password like: 'pass; rm -R ~;'
>Fix:
A modified port can be downloaded from:
www.iem.pw.edu.pl/~wielebap/ldap/smbldap-tools/smbldap-tools.taz

I have rebuild the structure of smbldap-passwd script.
This script can be downloaded from:
www.iem.pw.edu.pl/~wielebap/ldap/smbldap-tools/smbldap-passwd
I don't place the code here because it is very long, so please download it from my web.

You have to apply a patch to /usr/local/etc/smbldap-tools/smbldap.conf
It can be downloaded from:
www.iem.pw.edu.pl/~wielebap/ldap/smbldap-tools/smbldap.conf.diff-freebsd
The patch:
% cat smbldap.conf.diff-freebsd
--- smbldap.conf.orig   Tue Oct 19 11:41:37 2004
+++ smbldap.conf        Tue Oct 19 11:42:43 2004
@@ -106,7 +106,7 @@
 # Default scope Used
 scope="sub"

-# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
+# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
 hash_encrypt="SSHA"

 # if hash_encrypt is set to CRYPT, you may set a salt format.
@@ -189,4 +189,10 @@
 # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
 # prefer Crypt::SmbHash library
 with_smbpasswd="0"
-smbpasswd="/usr/bin/smbpasswd"
+smbpasswd="/usr/local/bin/smbpasswd"
+
+# Allows not tu use slappasswd (if without_slappasswd == 1 in smbldap_conf.pm)
+# but prefer Crypt:: libraries
+without_slappasswd="0"
+slappasswd="/usr/local/sbin/slappasswd"
+


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list