TECHNICAL BULLETIN

T-165: Microsoft Active Directory Encoded LDAP String Memory Corruption Remote Code Execution Vulnerability

[CVE-2009-1138]

June 18, 2009 16:00 GMT


PROBLEM:	Microsoft Active Directory Encoded LDAP String Memory Corruption Remote Code Execution Vulnerability.
PLATFORM:	Nortel Networks Self-Service WVADS 0 Nortel Networks Self-Service VoiceXML 0 Nortel Networks Self-Service Speech Server 0 Nortel Networks Self-Service Peri Workstation 0 Nortel Networks Self-Service Peri Application 0 Nortel Networks Self-Service MPS 500 0 Nortel Networks Self-Service MPS 1000 0 Nortel Networks Self-Service MPS 100 0 Nortel Networks Self-Service Media Processing Server 0 Nortel Networks Self-Service CCXML 0 Nortel Networks Self-Service - CCSS7 0 Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Datacenter Server SP4 Microsoft Windows 2000 Advanced Server SP4 Avaya Messaging Application Server MM 3.1 Avaya Messaging Application Server MM 3.0 Avaya Messaging Application Server MM 2.0 Avaya Messaging Application Server MM 1.1 Avaya Messaging Application Server 0
ABSTRACT:	The LDAP service in Active Directory on Microsoft Windows 2000 SP4 does not properly free memory for LDAP and LDAPS requests, which allows remote attackers to execute arbitrary code via a request that uses hexadecimal encoding, whose associated memory is not released, related to a "DN AttributeValue," aka "Active Directory Invalid Free Vulnerability." NOTE: this issue is probably a memory leak.

LINKS:
DOE-CIRC BULLETIN:	http://www.doecirc.energy.gov/bulletins/t-165.shtml
OTHER LINKS:	CVE-2009-1138 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1719 Microsoft http://www.microsoft.com/technet/security/bulletin/ms09-018.mspx Security Focus http://www.securityfocus.com/bid/35226/info http://www.securityfocus.com/archive/1/504238 NIST http://web.nvd.nist.gov/view/vuln/search?execution=e2s2 Avaya http://support.avaya.com/elmodocs2/security/ASA-2009-214.htm

IMPACT ASSESSMENT:	This risk is rated high. Attackers can exploit this issue to execute arbitrary code in the context of the application. Successful exploits will completely compromise the affected computer. Failed attacks will cause denial-of-service conditions.

[***** Start CVE-2009-1138 *****]
Discussion:
Microsoft issued a security bulletin which contained security advisory MS09-018. This security update resolves
vulnerabilities in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003, and Active
Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003. The more severe
vulnerability could allow remote code execution.

SOLUTION:
The vendor has released an advisory and updates. Please see the references for details.

Microsoft Windows 2000 Advanced Server SP4

Microsoft Security Update for Windows 2000 (KB969805)   
http://www.microsoft.com/downloads/details.aspx?familyid=bba6e20a-0345-46ae-a6f1-fd27fdee7c21&displaylang=en

Microsoft Windows 2000 Server SP4

Microsoft Security Update for Windows 2000 (KB969805)
http://www.microsoft.com/downloads/details.aspx?familyid=bba6e20a-0345-46ae-a6f1-fd27fdee7c21&displaylang=en

Microsoft Windows 2000 Datacenter Server SP4

Microsoft Security Update for Windows 2000 (KB969805)
http://www.microsoft.com/downloads/details.aspx?familyid=bba6e20a-0345-46ae-a6f1-fd27fdee7c21&displaylang=en
[***** End CVE-2009-1138 *****]

DOE-CIRC wishes to acknowledge the contributions of Joshua J. Drake of VeriSign iDefense Labs for the information contained in this bulletin.

DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at:

    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov

UCRL-MI-119788