A flaw has been discovered in the way that Microsoft's Active Directory service handles large LDAP requests. This flaw could result in a denial-of-service vulnerability.
The directory services provided by Microsoft's Active Directory are based on the Lightweight Directory Access Protocol (LDAP). Active Directory objects can be stored and retrieved using standard LDAPv3 requests. Core Security Technologies has discovered a flaw in the way the Active Directory service handles long LDAP requests.
This flaw occurs when an LDAP search request with more than 700 logical qualifiers (e.g., "AND" or "OR") is sent to the server. Exploitation of the flaw reportedly results in a stack overflow and subsequent crash of the Local Security Authority Sub-System (Lsass.exe) service. The death of the Lsass.exe process forces a shutdown of the Windows host system, resulting in a denial of service for the affected server.
Remote attackers may be able to crash the Active Directory server. This can result in a serious denial-of-service condition since the Active Directory service necessarily resides on Windows domain controllers. Unavailability of the domain controllers may affect normal operations within the domain.
Microsoft has included a patch for this issue in Windows 2000 Service Pack 4. For additional information, users are encouraged to review the following Microsoft Knowledge Base Articles:
Thanks to Core Security Technologies for discovering, researching, and reporting this vulnerability.
This document was written by Chad R Dougherty.
|Date First Published:||2003-07-17|
|Date Last Updated:||2003-07-23 15:01 UTC|