CVE-2021-20573

Name

Heap overflow leading to domain controller denial of service

CVSS score

5.7 (Medium)

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Product name

IBM Security Identity Manager Windows Password Synch Plug-in

Confirmed exploitable versions

6.1.18

Researcher

Krzysztof Andrusiak and Marcin Ogorzelski

Description

Vulnerability allows an attacker to cause a denial of service via specially crafted SamrValidatePassword request, due to memory corruption (Heap Overflow). In order to exploit this vulnerability, an attacker must have access to low-privileged domain account.
The Security Account Manager Remote Protocol (SAMR) implements SamrValidatePassword operation, which can be used to validate a password against defined password policy. Account name can be included in the request and it will be passed into password filter without any validation (including length checks). This allows to send such request with overly long account name (thousands of characters, which would never be a case for real accounts in Active Directory). Since ISIM plug-in does not take account name length into consideration while allocating buffers containing that name, it would result in memory corruption.

Proof-of-concept

PoC was tested in the following environment:

Domain Controller: Windows Server 2019 (with default configuration and ISIM plugin)
Client machine: Windows 10 (with Python 3.9.2)

Password rules verification must be enabled in ISIM plugin in order to exploit this vulnerability.

Steps to reproduce:

Install impacket module using the following command:
python -m pip install impacket
Copy validatepassword.py file to client machine.
Open new PowerShell window, then go to directory in which validatepassword.py file was stored.
Execute the following command in order to send "SamrValidatePassword" request with excessively long username (8000 'A' characters). Replace "[email protected]" with domain user.
python validatepassword.py -u ("A" * 8000) -p ComplexPass123!@# [email protected]
When prompted, enter password for chosen domain account ("[email protected]").
Sent request should cause heap overflow, leading to "lsass.exe" process crash and domain controller reboot.

Timeline

10-03-2021 - Vulnerability reported to vendor
22-03-2021 - First response from vendor
02-04-2021 - Vulnerability acknowledged by vendor
29-06-2021 - Advisory published by IBM
15-07-2021 - Public disclosure
23-08-2021 - PoC release

References

https://www.ibm.com/support/pages/node/6465875
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-20573