HighProventia Desktop, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects LDAP messages which would be processed by vulnerable sections of code in Microsoft's Active Directory implementations. It is possible for these messages to cause an invalid memory free to occur resulting in the execution of arbitrary code.
Proventia Desktop, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: While it is possible to positively identify the LDAP messages which would be processed by the vulnerable portions of the Active Directory code, it is not possible to determine which messages would cause an invalid memory free to occur.
High
Proventia Desktop: 2400, Proventia Network IPS: XPU 29.060, RealSecure Network: XPU 29.060, RealSecure Server Sensor: XPU 29.060, Proventia Network MFS: XPU 29.060, Proventia-G 1.1 and earlier: XPU 29.060, Proventia Network IDS: XPU 29.060, IBM Security Server Protection for Windows: 2.0.300.2400, IBM Security Server Protection for Windows: 1.0.914.2400, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Server IPS for Linux technology: 29.060, Virtual Server Protection for Vmware: 1.0
Microsoft Windows 2000: SP4
Unauthorized Access Attempt
Microsoft Windows 2000 could allow a remote attacker to execute arbitrary code on the system, caused by improper freeing of memory by the Active Directory Lightweight Directory Access Protocol (LDAP) service. By sending a specially-crafted crafted LDAP or LDAPS request to Global Catalog Server on ports 3268 or 3269 that uses hexadecimal encoding, a remote attacker could exploit this vulnerability to execute arbitrary code with the privileges of the victim.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Microsoft Security Bulletin MS09-018
Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)
http://www.microsoft.com/technet/security/bulletin/ms09-018.mspx
iDefense PUBLIC ADVISORY: 06.11.09
Microsoft Active Directory Hexdecimal DN AttributeValue Invalid Free Vulnerability
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=804
NORTEL BULLETIN ID: 2009009557, Rev 1
Nortel Response to Microsoft Security Bulletin MS09-018
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=931975&poid=
Microsoft Security Bulletin MS09-066
Vulnerability in Active Directory Could Allow Denial of Service (973309)
http://www.microsoft.com/technet/security/bulletin/ms09-066.mspx
Microsoft Security Bulletin MS10-068
Vulnerability in Local Security Authority Subsystem Service Could Allow Elevation of Privilege (983539)
http://www.microsoft.com/technet/security/bulletin/ms10-068.mspx
Microsoft Security Bulletin MS11-005
Vulnerability in Active Directory Could Allow Denial of Service (2478953)
http://www.microsoft.com/technet/security/bulletin/ms11-005.mspx
Microsoft Security Bulletin MS11-086
Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837)
http://www.microsoft.com/technet/security/bulletin/ms11-086.mspx
Microsoft Security Bulletin MS11-095
Vulnerability in Active Directory Could Allow Remote Code Execution (2640045)
http://technet.microsoft.com/en-us/security/bulletin/MS11-095
ISS X-Force
Microsoft Windows 2000 Active Directory LDAP code execution
http://www.iss.net/security_center/static/50759.php
CVE
CVE-2009-1138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1138