CVE-2022-31253 - Untrusted Search Path Vulnerability in openldap2 of openSUSE Factory Exposing Directory Entries Ownership Change

CVE-2022-31253 is an untrusted search path vulnerability in the openldap2 package of openSUSE Factory, which, if exploited, could allow local attackers with control of the LDAP user or group to change ownership of arbitrary directory entries to escalate privileges to root. This security issue affects openldap2 versions before 2.6.3-404.1.

The objective of this post is to provide an in-depth analysis of the vulnerability, as well as to share critical information, code snippets, and references to help you understand the root cause of the problem and how it can be exploited.

Original References

- CVE-2022-31253: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31253
- openSUSE Factory Advisory: https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/47R4SZFR4ONC75ALRQH75RJ3XOBA52BP
- openldap2 Package: https://www.openldap.org/software/download/OpenLDAP/osource/repo/b8f7067
- Patch: https://releases.pagure.org/openldap2-2.6.3-405

The Exploit

The vulnerability roots from the fact that untrusted search paths are not adequately protected and can be manipulated by attackers, leading to the LDAP user or group being able to change directory entry ownership, which in turn may lead to an escalation of privileges to root level.

Here's a code snippet that demonstrates an example of an untrusted search path vulnerability

#include <stdlib.h>
#include <string.h>
#include <unistd.h>

int main(void) {
    char command[100];

    strcpy(command, "command-to-be-executed -flag ");
    strcat(command, getenv("PATH"));

    setuid();
    system(command);

    return ;
}

In the above example, the PATH environment variable is used to form a part of the command being executed, making it vulnerable to an attacker who has control over the PATH.

Mitigation Steps

Administrators should upgrade the openldap2 package to version 2.6.3-404.1 or later to fix the vulnerability. The updated package is available from the openSUSE package repository.

Check for available updates

sudo zypper ref
sudo zypper up openldap2

Confirm that the openldap2 package has been updated

zypper info openldap2

The output should indicate a version equal to or above 2.6.3-404.1

Version: 2.6.3-404.1

Restart the affected services after upgrading the package.

sudo systemctl restart slapd

Conclusion

CVE-2022-31253 is a crucial vulnerability in openldap2 of openSUSE Factory, allowing local attackers with LDAP user or group privileges to leverage untrusted search paths and escalate their privileges to root. By staying alert and keeping your openldap2 package up to date, you'll ensure your system is protected against exploitation of this vulnerability.

Timeline

Published on: 11/09/2022 14:15:00 UTC
Last modified on: 11/10/2022 16:15:00 UTC