CVE-2022-31253 - Untrusted Search Path Vulnerability in openldap2 of openSUSE Factory Exposing Directory Entries Ownership Change
CVE-2022-31253 is an untrusted search path vulnerability in the openldap2 package of openSUSE Factory, which, if exploited, could allow local attackers with control of the LDAP user or group to change ownership of arbitrary directory entries to escalate privileges to root. This security issue affects openldap2 versions before 2.6.3-404.1.
The objective of this post is to provide an in-depth analysis of the vulnerability, as well as to share critical information, code snippets, and references to help you understand the root cause of the problem and how it can be exploited.
Original References
- CVE-2022-31253: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31253
- openSUSE Factory Advisory: https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/47R4SZFR4ONC75ALRQH75RJ3XOBA52BP
- openldap2 Package: https://www.openldap.org/software/download/OpenLDAP/osource/repo/b8f7067
- Patch: https://releases.pagure.org/openldap2-2.6.3-405
The Exploit
The vulnerability roots from the fact that untrusted search paths are not adequately protected and can be manipulated by attackers, leading to the LDAP user or group being able to change directory entry ownership, which in turn may lead to an escalation of privileges to root level.
Here's a code snippet that demonstrates an example of an untrusted search path vulnerability
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
int main(void) {
char command[100];
strcpy(command, "command-to-be-executed -flag ");
strcat(command, getenv("PATH"));
setuid();
system(command);
return ;
}
In the above example, the PATH environment variable is used to form a part of the command being executed, making it vulnerable to an attacker who has control over the PATH.
Mitigation Steps
Administrators should upgrade the openldap2 package to version 2.6.3-404.1 or later to fix the vulnerability. The updated package is available from the openSUSE package repository.
Check for available updates
sudo zypper ref
sudo zypper up openldap2
Confirm that the openldap2 package has been updated
zypper info openldap2
The output should indicate a version equal to or above 2.6.3-404.1
Version: 2.6.3-404.1
Restart the affected services after upgrading the package.
sudo systemctl restart slapd
Conclusion
CVE-2022-31253 is a crucial vulnerability in openldap2 of openSUSE Factory, allowing local attackers with LDAP user or group privileges to leverage untrusted search paths and escalate their privileges to root. By staying alert and keeping your openldap2 package up to date, you'll ensure your system is protected against exploitation of this vulnerability.
Timeline
Published on: 11/09/2022 14:15:00 UTC
Last modified on: 11/10/2022 16:15:00 UTC