TUCoPS :: Windows :: win5365.htm

Microsoft Active Directory remote DoS
24th May 2002 [SBWID-5365]
COMMAND

	Microsoft Active Directory remote DoS

SYSTEMS AFFECTED

	Windows 2000 server

PROBLEM

	Jonathan Lamberson says :
	

	A few weeks ago, I was developing a script to be run on UNIX that  would
	query a Microsoft Active Directory server via LDAP. I  authenticated  to
	the Windows 2000 Realm using Kerberos V.  For  information  on  Kerberos
	interoperability see :
	

	http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.asp

	

	I then used the OpenLDAP 2.0.23 ldapsearch tool  (compiled  with  GSSAPI
	support to allow Kerberos V authentication) to return results  from  the
	Active Directory.
	

	Everything worked fine for searches with  small  result  sets.  However,
	when I searched for large result sets, no results were  returned.  After
	some investigation, I determined that I might need to  perform  a  paged
	search as described in :
	

	http://msdn.microsoft.com/library/en-us/netdir/ldap/paging_search_results.asp

	

	Following the procedure in rfc2696 :
	

	http://www.ietf.org/rfc/rfc2696.txt

	

	I added the following lines  of  code  to  the  ldapsearch  tool  (error
	checking has been omitted):
	

	---------------------------------------

	LDAPControl c;

	LDAPControl *ctrls[2];

	ctrls[0] = &c;

	ctrls[1] = NULL;

	

	c.ldctl_oid = \"1.2.840.113556.1.4.319\";

	c.ldctl_value.bv_val = NULL;

	c.ldctl_value.bv_len = 0;

	c.ldctl_iscritical = 0;

	

	ldap_set_option(ld,LDAP_OPT_SERVER_CONTROLS,ctrls);

	----------------------------------------

	

	Basically, I was trying to create an LDAPv3 server control to  tell  the
	Active Directory server to perform a  paged  search.  In  this  case,  I
	passed it a page length of 0 (I did  this  as  a  test).  Unfortunately,
	this test caused Active Directory to hang.
	

	My guess is that Microsoft does not check for a zero value when  setting
	the page size. Thus, in calculating the number of records to return  per
	page, they divide by zero, casing the process to hang.
	

	Note that if anonymous queries are  DISABLED  (which  they  are  on  our
	server), this vulnerability can only be exploited  by  an  authenticated
	user. I did not test this against a  directory  with  anonymous  queries
	enabled (I didn\'t have one), nor did I  test  it  with  simple  (plain)
	authentication. I was always authenticated using Kerberos  V  +  GSSAPI.
	The problem  could  very  well  be  in  the  GSSAPI  layer,  not  Active
	Directory itself.
	

	Client Summary:
	

	SunBlade 1000 running Solaris 8

	MIT Kerberos V 1.2.5

	Cyrus SASL 1.5.27

	OpenLDAP 2.0.23

	-All compiled as 32-bit binaries.  

	

	See :
	

	http://www.bayour.com/LDAPv3-HOWTO.html 

	

	for instructions  on  compiling  OpenLDAP  with  Kerberos  &  GSSAPI
	support.

SOLUTION

	none yet

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH