cbcvebase.
CVE-2007-4566
published 2007-08-28

CVE-2007-4566: Multiple buffer overflows in the login mechanism in sidvault in Alpha Centauri Software SIDVault LDAP Server before 2.0f allow remote attackers to execute…

PriorityP356critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
15.33%
96.4th percentile
Multiple buffer overflows in the login mechanism in sidvault in Alpha Centauri Software SIDVault LDAP Server before 2.0f allow remote attackers to execute arbitrary code via crafted LDAP packets, as demonstrated by a long dc entry in an LDAP bind.

Affected

1 ranges
VendorProductVersion rangeFixed in
alpha_centauri_softwaresidvault_ldap_server<= 2.0e

Detection & IOCsextracted from sources · hover to see the quote

port389
port4444
commanddc=<overflow_buffer> LDAP simple_bind
commanddc=<overflow_buffer> LDAP simple_bind (SEH variant)
otherJMP ESP 0xffffe777 (linux-gate.so)
otherJMP ESP 0x7C96BF33 (Shell32.dll XP SP3)
otherp/p/r ret 0x401029 (sidvault.exe)
otherSEH overwrite gadget \xE8\x18\xF3\xFF\xFF then \xEB\xF4\x90\x90 then \x29\x10\x40
otherSEH overwrite gadget \xE8\x15\xF3\xFF\xFF then nops(5) then \xEB\xF4\x90\x90 then \x29\x10\x40
otherMetasploit module exploit/windows/ldap/sidvault_ldap
bytes
30 82 10 2f 02 01 01 63 82 10 28 04 82 10 06 64 63 3d
bytes
30 82 12 10 02 01 01 60 82 12 09 02 01 03 04 82 10 fe 64 63 3d
  • Detect oversized LDAP bind requests with a 'dc=' attribute value exceeding normal length (>1024 bytes) on TCP port 389, indicative of buffer overflow exploitation against SIDVault.
  • Look for LDAP BindRequest packets with a BER-encoded message length field of 0x1210 or 0x102f (unusually large) in the packet header, matching the crafted exploit packet structure.
  • Detect LDAP simple bind requests where the DN field starts with 'dc=' followed by a payload of 1024+ bytes of repeated 0x41 ('A') characters, a classic junk buffer pattern used in all three exploit variants.
  • Alert on LDAP bind requests where the password field is filled with 256 bytes of 0x42 ('B'), a consistent pattern across multiple exploit PoCs for this CVE.
  • Monitor for outbound connections from the SIDVault process (sidvault.exe) to unexpected hosts, or new listening sockets on port 4444, which indicates successful shell_bind_tcp payload execution.
  • Detect the SEH overwrite byte sequence 0xE8 0x18/0x15 0xF3 0xFF 0xFF followed shortly by 0xEB 0xF4 0x90 0x90 within an LDAP packet payload, indicating SEH-based exploitation.
  • Flag use of the Metasploit module exploit/windows/ldap/sidvault_ldap in network or endpoint telemetry, including reverse TCP connections from the target on port 4444 back to the attacker.
  • ·The Linux exploit uses a hardcoded JMP ESP address from linux-gate.so (0xffffe777), which is VDSO-mapped and may vary across kernel versions; the Windows exploits use addresses specific to XP SP3 (Shell32.dll 0x7C96BF33) and sidvault.exe (0x401029).
  • ·The Windows SEH exploit targets SIDVault 2.0e specifically on Windows XP SP3; the universal ret address (0x401029 p/p/r from sidvault.exe) may not apply to other versions or OS configurations.
  • ·The Metasploit module enforces AlphanumUpper encoding and a stack adjustment of -3500 bytes; payloads not matching this encoding profile may fail, meaning detection rules relying on raw shellcode bytes may miss variants using different encoders.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.