CVE-2001-1320
published 2001-07-16CVE-2001-1320: Network Associates PGP Keyserver 7.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via exceptional BER…
PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
68.32%
99.2th percentile
Network Associates PGP Keyserver 7.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via exceptional BER encodings (possibly buffer overflows), as demonstrated by the PROTOS LDAPv3 test suite.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pgp | keyserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x30\x82\x01\xd9\x02\x01\x01\x60\x82\x01\xd2\x02\x01\x03\x04\x82\x01\xc9
bytes↗
\x30\xfe\x02\x01\x01\x63\x20\x04\x00\x0a\x01\x02\x0a\x01\x00\x02\x01\x00
- →Detect exploitation attempts by monitoring TCP port 389 (LDAP) for malformed BER-encoded packets beginning with the PROTOS trigger byte sequence \x30\xfe\x02\x01\x01\x63\x20 — the oversized length byte (\xfe) is anomalous for legitimate LDAP traffic. ↗
- →Alert on the presence of PGPcertd.exe spawning unexpected child processes or network connections, as successful exploitation targets this process via a stack return-address overwrite at 0x00436b23 (push esp; ret gadget). ↗
- →Flag LDAP bind/search requests containing exceptional or indefinite-length BER encodings (e.g., length octets inconsistent with actual payload size) targeting port 389, as this is the root trigger class described in the PROTOS LDAPv3 test suite. ↗
- ·The WfsDelay may need to be increased in the Metasploit module to allow the egghunter sufficient time to locate the egg in memory before the payload executes; this means the exploit may appear slow or stalled in network captures. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Network Associates PGP KeyServer 7 - LDAP Buffer Overflow (Metasploit)
exploitdb·2010-11-14
CVE-2001-1320 Network Associates PGP KeyServer 7 - LDAP Buffer Overflow (Metasploit)
Network Associates PGP KeyServer 7 - LDAP Buffer Overflow (Metasploit)
---
##
# $Id: pgp_keyserver7.rb 11039 2010-11-14 19:03:24Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Network Associates PGP KeyServer 7 LDAP Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the LDAP service that is
part of the NAI PGP Enterprise product suite. This module was tested
against PGP KeyServer v7.0. Due to space restrictions, egghunter is
used to find our payload - therefore you may wish to adjust WfsDelay.
}
Metasploit
Network Associates PGP KeyServer 7 LDAP Buffer Overflow
metasploit
Network Associates PGP KeyServer 7 LDAP Buffer Overflow
Network Associates PGP KeyServer 7 LDAP Buffer Overflow
This module exploits a stack buffer overflow in the LDAP service that is part of the NAI PGP Enterprise product suite. This module was tested against PGP KeyServer v7.0. Due to space restrictions, egghunter is used to find our payload - therefore you may wish to adjust WfsDelay.
No writeups or analysis indexed.
http://ciac.llnl.gov/ciac/bulletins/l-116.shtmlhttp://www.cert.org/advisories/CA-2001-18.htmlhttp://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/http://www.kb.cert.org/vuls/id/765256http://www.kb.cert.org/vuls/id/JPLA-4WESNKhttp://www.securityfocus.com/bid/3046https://exchange.xforce.ibmcloud.com/vulnerabilities/6900http://ciac.llnl.gov/ciac/bulletins/l-116.shtmlhttp://www.cert.org/advisories/CA-2001-18.htmlhttp://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/http://www.kb.cert.org/vuls/id/765256http://www.kb.cert.org/vuls/id/JPLA-4WESNKhttp://www.securityfocus.com/bid/3046https://exchange.xforce.ibmcloud.com/vulnerabilities/6900
2001-07-16
Published