389 Directory Server SSO Token Extended Operation Handler Type Confusion Vulnerability Allowing Partial Stack Address Disclosure

A type confusion vulnerability has been identified in the 389 Directory Server's SSO token extended operation handler. This flaw allows partial stack address information to be leaked in LDAP responses to authenticated users. The issue arises because the handler improperly passes a stack pointer to a formatting function that expects an integer, creating a mismatch that can be exploited to extract sensitive information.

Impact

Exploitation of this vulnerability allows authenticated non-administrator users to access partial stack address information, which could be used to reduce the effectiveness of stack ASLR (Address Space Layout Randomization) protections, although it does not constitute a full bypass.

Reproduction

The vulnerability can be reproduced by sending an LDAP extended operation request that includes the SSO token feature enabled. The type confusion occurs when the request is processed, leading to the unintentional disclosure of stack address information in the response. This has been confirmed on Fedora 42, where the leaked address could be used to infer details about the stack layout.

Remediation

Users are advised to disable the SSO token feature entirely, as this will prevent the vulnerable code path from being executed. Alternatively, network access to LDAP ports 389 and 636 can be restricted to trusted networks via firewall rules. Note that simply removing the SSO token secret from the configuration is not effective, as the server automatically generates a new secret at startup.