Research & Development
$ #

CVE-2021-20572

Stack overflow leading to domain controller denial of service

6.5 (Medium)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

IBM Security Identity Manager Windows Password Synch Plug-in

6.1.18

Krzysztof Andrusiak and Marcin Ogorzelski

Vulnerability allows an attacker to cause a denial of service via specially crafted SamrValidatePassword request, due to memory corruption (Stack Overflow). In order to exploit this vulnerability, an attacker must have access to low-privileged domain account.
The Security Account Manager Remote Protocol (SAMR) implements SamrValidatePassword operation, which can be used to validate a password against defined password policy. Account name can be included in the request and it will be passed into password filter without any validation (including length checks). This allows to send such request with overly long account name (thousands of characters, which would never be a case for real accounts in Active Directory). Since ISIM plug-in does not take account name length into consideration while allocating buffers containing that name, it would result in memory corruption.

PoC was tested in the following environment:

  • Domain Controller: Windows Server 2019 (with default configuration and ISIM plugin)
  • Client machine: Windows 10 (with Python 3.9.2)

Password rules verification must be enabled in ISIM plugin in order to exploit this vulnerability.

Steps to reproduce:

  1. Install impacket module using the following command:
    python -m pip install impacket
  2. Copy validatepassword.py file to client machine.
  3. Open new PowerShell window, then go to directory in which validatepassword.py file was stored.
  4. Execute the following command in order to send "SamrValidatePassword" request with specially crafted username (utilizing LDAP Injection, so that LDAP search would return valid user, resulting in reaching this part of the code where account name is written onto stack). Replace "[email protected]" with domain user.
    python validatepassword.py -u ("Administrator)(!(cn=" + "'" * 400 + ")") -p [email protected]# [email protected]
    When prompted, enter password for chosen domain account ("[email protected]").
  5. Sent request should cause stack overflow, leading to "lsass.exe" process crash and domain controller reboot.
  • 10-03-2021 - Vulnerability reported to vendor
  • 22-03-2021 - First response from vendor
  • 16-06-2021 - Vulnerability acknowledged by vendor
  • 29-06-2021 - Advisory published by IBM
  • 15-07-2021 - Public disclosure
  • 23-08-2021 - PoC release