Research & Development
$ #

CVE-2021-20573

Heap overflow leading to domain controller denial of service

5.7 (Medium)

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

IBM Security Identity Manager Windows Password Synch Plug-in

6.1.18

Krzysztof Andrusiak and Marcin Ogorzelski

Vulnerability allows an attacker to cause a denial of service via specially crafted SamrValidatePassword request, due to memory corruption (Heap Overflow). In order to exploit this vulnerability, an attacker must have access to low-privileged domain account.
The Security Account Manager Remote Protocol (SAMR) implements SamrValidatePassword operation, which can be used to validate a password against defined password policy. Account name can be included in the request and it will be passed into password filter without any validation (including length checks). This allows to send such request with overly long account name (thousands of characters, which would never be a case for real accounts in Active Directory). Since ISIM plug-in does not take account name length into consideration while allocating buffers containing that name, it would result in memory corruption.

PoC was tested in the following environment:

  • Domain Controller: Windows Server 2019 (with default configuration and ISIM plugin)
  • Client machine: Windows 10 (with Python 3.9.2)

Password rules verification must be enabled in ISIM plugin in order to exploit this vulnerability.

Steps to reproduce:

  1. Install impacket module using the following command:
    python -m pip install impacket
  2. Copy validatepassword.py file to client machine.
  3. Open new PowerShell window, then go to directory in which validatepassword.py file was stored.
  4. Execute the following command in order to send "SamrValidatePassword" request with excessively long username (8000 'A' characters). Replace "[email protected]" with domain user.
    python validatepassword.py -u ("A" * 8000) -p ComplexPass123!@# [email protected]
    When prompted, enter password for chosen domain account ("[email protected]").
  5. Sent request should cause heap overflow, leading to "lsass.exe" process crash and domain controller reboot.
  • 10-03-2021 - Vulnerability reported to vendor
  • 22-03-2021 - First response from vendor
  • 02-04-2021 - Vulnerability acknowledged by vendor
  • 29-06-2021 - Advisory published by IBM
  • 15-07-2021 - Public disclosure
  • 23-08-2021 - PoC release