Research & Development
$ #


Incorrect size of buffers used to store XML-sanitized credentials leading to Heap Overflow

5.7 (Medium)


IBM Security Identity Manager Windows Password Synch Plug-in


Krzysztof Andrusiak

Credentials (username and password) sent to password filter are sanitized by replacing certain characters with corresponding HTML entities. When “Governance” server type is used buffers are allocated to store the result of this operation, but their size is not enough for “worst-case” scenario, where all the characters are apostrophes or quotes. In this case buffer will have enough place for all the characters (HTML entities), but not for terminating NULL byte, leading to off-by-one heap overflow.

In order to exploit this vulnerability an attacker would have to use either username or password containing only apostrophes or quotes. Default AD password complexity policy prevents use of such passwords. Exploitation is still possible if an attacker uses password which has the following structure ([NUL] is a NULL-byte character):
Password structure: [apostrophes] + [NUL] + [other characters]
Example password: ''''''''[NUL]RandomText1!

During complexity check Windows will parse whole value – password will be accepted and forwarded to password filters. Since ISIM plugin treats incoming values as NULL-terminated strings, at some point password will become apostrophes only (characters past NULL will be omitted). In the end, XML-sanitizing function will receive truncated value, allowing exploitation of the vulnerability.

  • 17-12-2021 - Vulnerability reported to vendor
  • 20-12-2021 - First response from vendor
  • 22-04-2022 - Advisory published by IBM
  • 04-10-2023 - Public disclosure