-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN LDAP Buffer overflow against Microsoft Directory Services March 16, 1999 19:00 GMT Number J-036 ______________________________________________________________________________ PROBLEM: ISS X-Force has a vulnerability against Microsoft Exchange's LDAP (Lightweight Directory Access Protocol) server which allows read access to the Exchange server directory by using an LDAP client. PLATFORM: Microsoft Exchange Server version 5.5. DAMAGE: If exploited, an attacker could cause a buffer overflow which could lead to a denial of service or allow the attacker to be able to execute arbitrary code. SOLUTION: Apply patch or workaround. ______________________________________________________________________________ VULNERABILITY Risk is medium. The packet to cause the buffer overflow would ASSESSMENT: have to be a particular type or carefully crafted. ______________________________________________________________________________ [ Start ISS Advisory ] ISS Security Advisory March 15, 1999 LDAP Buffer overflow against Microsoft Directory Services Synopsis: ISS X-Force has discovered a buffer overflow exploit against Microsoft Exchange's LDAP (Lightweight Directory Access Protocol) server which allows read access to the Exchange server directory by using an LDAP client. This buffer overflow consists of a malformed bind request that overflows the buffer and can execute arbitrary code. This attack can also cause the Exchange LDAP service to crash. This vulnerability exists in Microsoft Exchange Server version 5.5. Description: This exploit occurs during the LDAP binding process. Binding involves logging in or authenticating to a directory, and consists of sending a username, a password, and a binding method. There are two methods in which to use this vulnerability against an Exchange server. The first consists of sending a particular type of invalid LDAP bind packet which will cause an overflow to occur this will cause the LDAP service to crash. The second uses a large malformed LDAP bind packet that is carefully crafted to take advantage of the buffer overflow and can be used to execute arbitrary code. Recommendations: Microsoft has made a patch available for the LDAP attack. Patch information is available at: http://www.microsoft.com/security/bulletins/ms99-009.asp Network administrators can protect internal systems from external attack by adding a rule to a filtering router or firewall of the type: Deny all incoming TCP packets with a destination port of 389. Many firewalls or packet filters may already have more restrictive rulesets that already encompass this filtering rule, in which case the network is already protected from an external attack. This ruleset would include filtering all incoming traffic to TCP port 389. Additional Information: These vulnerabilities were primarily researched by the ISS X-Force. ________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the electronic redistribution of this Security Advisory. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Security Advisory in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Internet Security Systems, Inc. (ISS) is the leading provider of adaptive network security monitoring, detection, and response software that protects the security and integrity of enterprise information systems. By dynamically detecting and responding to security vulnerabilities and threats inherent in open systems, ISS's SAFEsuite family of products provide protection across the enterprise, including the Internet, extranets, and internal networks, from attacks, misuse, and security policy violations. ISS has delivered its adaptive network security solutions to organizations worldwide, including firms in the Global 2000, nine of the ten largest U.S. commercial banks, and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at http://www.iss.net. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. [ End ISS Advisory ] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Internet Security Systems, Inc. for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 925-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) J-026: HP-UX rpc.pcnfsd Vulnerability J-027: Digital Unix Vulnerabilities ( at , inc ) J-028: Sun Solaris Vulnerabilities (sdtcm_convert, man/catman, CDE) J-029: Buffer Overflows in Various FTP Servers J-030: Microsoft BackOffice Vulnerability J-031: Debian Linux "Super" package Buffer Overflow J-032: Windows Backdoors Update II: J-033: SIG X server font path Vulnerability J-034: Cisco 7xx TCP and HTTP Vulnerabilities J-035: Linux Blind TCP Spoofing -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBNu/m1rnzJzdsy3QZAQGfCQQAiglvr53XmnVxo7sPqiCYpE1dJQNsX4bh 59jfWhUghTQXgPRwWAAxwuyZXLVj+UfSnVE4gTLAuZMa+dArPh3pkbaU0/Dw1NvO FA/B53LQh5XHrBmfzHAZFJE3mRJTsIBSlT1v3cMoAX4Cbhb1X/+F9LePSwa841g6 2yXgkxpFtLI= =i7wV -----END PGP SIGNATURE-----