Oracle Internet Directory Pre-Authentication LDAP DoS Vulnerability
17 Jul. 2008
Summary
Internet Directory is "Oracle's implementation of the Lightweight Directory Access Protocol (LDAP) v3 service. It is used in conjunction with Oracle Identity Management to implement user administration in the Oracle environment". Remote exploitation of a pre-authentication input validation vulnerability in Oracle Corp.'s Oracle Internet Directory allows an attacker to conduct a denial of service attack on a vulnerable host.
Vulnerable Systems:
* Oracle Internet Directory for Windows version 10.1.4.0.1 with the April 2007 CPU installed
Internet Directory consists of two processes. One process acts as a listener. It handles incoming connections and passes them off to the second process. The second process, which handles requests, contains the vulnerability.
When processing a malformed LDAP request, it is possible to cause the handler to dereference a NULL pointer. This results in the process crashing. Future connection requests will be accepted by the listener process, and then immediately closed when it finds that there is no handler process running.
Analysis:
Exploitation of this vulnerability allows an attacker to deny service to legitimate users of the directory server. In order to exploit this issue, an attacker must be able to establish an LDAP session with the vulnerable server. This is typically done via TCP port 389 or the SSL-enabled TCP port 636. No authentication is needed. In order to restore functionality, the listener process must be stopped and restarted.
