LDAP Exchange overflow crashes LDAP server

ldap-exchange-overflow (1427)

High Risk

Description:

Microsoft Exchange Server is vulnerable to a denial of service attack, caused by a buffer overflow in the LDAP (Lightweight Directory Access Protocol) server. The LDAP server allows read access to the Exchange server directory by using an LDAP client. By sending a specially-crafted bind request to LDAP, an attacker can overflow the buffer and execute arbitrary code on the server or possibly cause the LDAP service to crash.

Platforms Affected:

• Microsoft, Exchange Server 5.5
• Microsoft, Windows 2000
• Microsoft, Windows NT 4.0
• Various vendors, LDAP

Remedy:

Filtering incoming packets destined for TCP port 389, the LDAP service port, can reduce vulnerability to attacks from external sources.

Apply the latest Microsoft Exchange 5.5 Service Pack (SP3 or later), as listed in Microsoft Knowledge Base Article Q191014. See References.

— OR —

As an alternative, Windows NT SP2 users can apply the post-SP2 DIR-fix patch, as listed in Microsoft Knowledge Base Article Q221989. See References.

Consequences:

Denial of Service

References:

• Internet Security Systems Security Alert #22, LDAP Buffer overflow against Microsoft Directory Services at http://www.iss.net/xforce/alerts/id/advise22.
• Microsoft Knowledge Base Article 191014, How to Obtain the Latest Exchange Server 5.5 Service Pack at http://support.microsoft.com/default.aspx?scid=kb;[LN];191014.
• Microsoft Knowledge Base Article 221989, XADM: Buffer Overrun in Exchange Server 5.5 LDAP Service at http://support.microsoft.com/default.aspx?scid=kb;[LN];221989.
• Microsoft Security Bulletin MS99-009, Patch Available for 'Malformed Bind Request' Vulnerability at http://www.microsoft.com/technet/security/bulletin/ms99-009.mspx.
• BID-503: NT IMail LDAP Buffer Overflow DoS Vulnerability
• CVE-1999-0385: The LDAP bind function in Exchange 5.5 has a buffer overflow that allows a remote attacker to conduct a denial of service or execute commands.

Reported:

Dec 08, 1998

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page