Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2975
HistoryMay 23, 2002 - 12:00 a.m.

Microsoft Active Directory security vulnerability

2002-05-2300:00:00
vulners.com
12

A few weeks ago, I was developing a script to be run on UNIX

that would query a Microsoft Active Directory server via

LDAP. I authenticated to the Windows 2000 Realm using

Kerberos V (for information on Kerberos interoperability see

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.asp).

I then used the OpenLDAP 2.0.23 ldapsearch tool (compiled

with GSSAPI support to allow Kerberos V authentication) to

return results from the Active Directory.

Everything worked fine for searches with small result sets.

However, when I searched for large result sets, no results

were returned. After some investigation, I determined that

I might need to perform a paged search (see

http://msdn.microsoft.com/library/en-us/netdir/ldap/paging_search_results.asp).

Following the procedure in rfc2696

(http://www.ietf.org/rfc/rfc2696.txt), I added the following

lines of code to the ldapsearch tool (error checking has

been omitted):


LDAPControl c;

LDAPControl *ctrls[2];

ctrls[0] = &c;

ctrls[1] = NULL;

c.ldctl_oid = "1.2.840.113556.1.4.319";

c.ldctl_value.bv_val = NULL;

c.ldctl_value.bv_len = 0;

c.ldctl_iscritical = 0;

ldap_set_option(ld,LDAP_OPT_SERVER_CONTROLS,ctrls);


Basically, I was trying to create an LDAPv3 server control

to tell the Active Directory server to perform a paged

search. In this case, I passed it a page length of 0 (I

did this as a test). Unfortunately, this test caused Active

Directory to hang.

My guess is that Microsoft does not check for a zero value

when setting the page size. Thus, in calculating the number

of records to return per page, they divide by zero, casing

the process to hang.

Note that if anonymous queries are DISABLED (which they are

on our server), this vulnerability can only be exploited by

an authenticated user. I did not test this against a

directory with anonymous queries enabled (I didn't have

one), nor did I test it with simple (plain) authentication.

I was always authenticated using Kerberos V + GSSAPI. The

problem could very well be in the GSSAPI layer, not Active

Directory itself.

This bug was reported to Microsoft on 5-13-2002; no response

has been received.

Client Summary:

SunBlade 1000 running Solaris 8

MIT Kerberos V 1.2.5

Cyrus SASL 1.5.27

OpenLDAP 2.0.23

-All compiled as 32-bit binaries. See

http://www.bayour.com/LDAPv3-HOWTO.html for instructions on

compiling OpenLDAP with Kerberos & GSSAPI support.