Microsoft Windows Active Directory Remote Code Execution

Notification Type: IBM Internet Security Systems Protection Advisory
Notification Date: July 10, 2007
Notification Version: 1.0
   
Name: Microsoft Windows Active Directory Remote Code Execution
Public disclosure/
In the wild date:		 July 10, 2007 (vuln disclosure)
Aliases: MS07-039
CVE: CVE-2007-0040
Description:

By sending a specially-crafted LDAP request, a remote attacker could execute arbitrary code on a server running a vulnerable version of Microsoft Windows Active Directory.
Discoverer Neel Mehta, a researcher for IBM ISS X-Force

 

ISS Coverage
Product Content Version
Network Sensor 7.0
Proventia A
Proventia IPS (G/GX)
Server Sensor 7.0
Proventia Multifunction Appliance
Proventia Server (Linux)		 24.39
Proventia Server (Windows)
Proventia Desktop		 x.x.x.1780
RealSecure Desktop 7.0 CPJ
BlackICE PC Protection 3.6 CPJ
Propagation Techniques ISS Protection Available
remote exploit LDAP_Modify_Req_Bo July 14, 2006

Detailed Description
Business Impact: Active Directory services are the keystone of modern Windows networks, so this vulnerability, which allows a remote attacker to gain complete control of the server, along with the denial of service covered by the same patch are extremely serious.  IBM ISS X-Force recommends that administrators immediately enable protection and plan patching activity with the highest priority.
CVSS: Base Score: 10
  Access Vector: Remote
Access Complexity: Low
Authentication: Not Required
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
Impact Bias: Normal
Adjusted Temporal Score: 7.4
  Exploitability: Unproven
Remediation Level: Official-Fix
Report Confidence: Confirmed
Affected Products: For a full list of affected versions, see XFDB references below.
Technical Description: Microsoft Windows is vulnerable to a buffer overflow, caused by improper bounds checking of LDAP requests by Active Directory. By sending a specially-crafted LDAP request containing a larger than expected number of convertible attributes, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash.
Remediation: Microsoft has released a patch to remediate this issue.  See References for details.

References
XFDB http://xforce.iss.net/xforce/xfdb/35179
Microsoft http://www.microsoft.com/technet/security/bulletin/ms07-039.mspx

Revision History
1.0 Initial publication.


About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.