Research & Development
$ #


Incorrect size of buffer used to store LDAP-sanitized username leading to Heap Overflow

5.7 (Medium)


IBM Security Identity Manager Windows Password Synch Plug-in


Krzysztof Andrusiak

Username sent to password filter is sanitized before being added to LDAP query by replacing certain characters with their hexadecimal representation (“\XX”). A buffer is allocated to store the result of this operation, but its size is not enough for “worst-case” scenario, where all the characters have to be sanitized (e.g. username containing only asterisk characters). In such case part of the sanitized username will be written past the end of the buffer, leading to heap overflow and reboot of the domain controller.

  • 17-12-2021 - Vulnerability reported to vendor
  • 20-12-2021 - First response from vendor
  • 22-04-2022 - Advisory published by IBM
  • 04-10-2023 - Public disclosure