Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Active Directory May Have Bug That Allows Remote Users to Crash the Directory
|
|
SecurityTracker Alert ID: 1004369 |
|
SecurityTracker URL: http://securitytracker.com/id/1004369
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 24 2002
|
Impact:
Denial of service via network
|
Exploit Included: Yes
|
|
Description:
A potential denial of service vulnerability was reported in Microsoft's Active Directory. A remote user may be able to cause Active Directory to hang under certain circumstances. If anonymous queries are disabled, the remote user must be authenticated.
It is reported that a remote user that has authenticated to the Windows 2000 Realm using Kerberos V may be able to query a Microsoft Active Directory server via LDAP in such a manner that the directory will hang.
The author indicates that the vulnerability may exist in the GSSAPI layer and not in Active Directory itself.
The vulnerability was reportedly triggered with a paged search conducted using the OpenLDAP 2.0.23 ldapsearch tool compiled with GSSAPI support to allow Kerberos V authentication. For information on conducting paged searches, see:
http://msdn.microsoft.com/library/en-us/netdir/ldap/paging_search_results.asp
In a manner reportedly consistent with RFC 2696, the author added the following lines of code to the ldapsearch tool:
---------------------------------------
LDAPControl c;
LDAPControl *ctrls[2];
ctrls[0] = &c;
ctrls[1] = NULL;
c.ldctl_oid = "1.2.840.113556.1.4.319";
c.ldctl_value.bv_val = NULL;
c.ldctl_value.bv_len = 0;
c.ldctl_iscritical = 0;
ldap_set_option(ld,LDAP_OPT_SERVER_CONTROLS,ctrls);
----------------------------------------
As a test case, the directory was passed a page length of 0, causing the directory to hang.
The author notes that if anonymous queries are DISABLED, the flaw can only be triggered by a remote authenticated user.
The vendor has reportedly been notified.
|
Impact:
A remote authenticated user could cause the directory to crash. If anonymous queries are permitted, a remote user can cause the directory to crash.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.microsoft.com/windows2000/technologies/directory/ad/default.asp (Links to External Site)
|
Cause:
Exception handling error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: 23 May 2002 14:55:46 -0000
Subject: Microsoft Active Directory security vulnerability
|
A few weeks ago, I was developing a script to be run on UNIX
that would query a Microsoft Active Directory server via
LDAP. I authenticated to the Windows 2000 Realm using
Kerberos V (for information on Kerberos interoperability see
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.asp).
I then used the OpenLDAP 2.0.23 ldapsearch tool (compiled
with GSSAPI support to allow Kerberos V authentication) to
return results from the Active Directory.
Everything worked fine for searches with small result sets.
However, when I searched for large result sets, no results
were returned. After some investigation, I determined that
I might need to perform a paged search (see
http://msdn.microsoft.com/library/en-us/netdir/ldap/paging_search_results.asp).
Following the procedure in rfc2696
(http://www.ietf.org/rfc/rfc2696.txt), I added the following
lines of code to the ldapsearch tool (error checking has
been omitted):
---------------------------------------
LDAPControl c;
LDAPControl *ctrls[2];
ctrls[0] = &c;
ctrls[1] = NULL;
c.ldctl_oid = "1.2.840.113556.1.4.319";
c.ldctl_value.bv_val = NULL;
c.ldctl_value.bv_len = 0;
c.ldctl_iscritical = 0;
ldap_set_option(ld,LDAP_OPT_SERVER_CONTROLS,ctrls);
----------------------------------------
Basically, I was trying to create an LDAPv3 server control
to tell the Active Directory server to perform a paged
search. In this case, I passed it a page length of 0 (I
did this as a test). Unfortunately, this test caused Active
Directory to hang.
My guess is that Microsoft does not check for a zero value
when setting the page size. Thus, in calculating the number
of records to return per page, they divide by zero, casing
the process to hang.
Note that if anonymous queries are DISABLED (which they are
on our server), this vulnerability can only be exploited by
an authenticated user. I did not test this against a
directory with anonymous queries enabled (I didn't have
one), nor did I test it with simple (plain) authentication.
I was always authenticated using Kerberos V + GSSAPI. The
problem could very well be in the GSSAPI layer, not Active
Directory itself.
This bug was reported to Microsoft on 5-13-2002; no response
has been received.
Client Summary:
SunBlade 1000 running Solaris 8
MIT Kerberos V 1.2.5
Cyrus SASL 1.5.27
OpenLDAP 2.0.23
-All compiled as 32-bit binaries. See
http://www.bayour.com/LDAPv3-HOWTO.html for instructions on
compiling OpenLDAP with Kerberos & GSSAPI support.
|
|
Go to the Top of This SecurityTracker Archive Page
|
