.png)
1 year ago
115 BOOK THIS SPACE FOR AD
ARTICLE ADLDAP Injection weakness describes improper neutralization of special elements used in LDAP queries.
Table of Content
1. Description
2. Potential impact
3. Attack patterns
4. Affected software
5. Severity and CVSS Scoring
This weakness describes a case where software does not properly validate external input before using it to construct LDAP queries. As a result, an attacker might be able to inject and execute arbitrary LDAP commands within the directory server.
Let’s assume we have a simple front-end application that performs a search in Active Directory on provided login and outputs information. Our script consists of two parts: HTML form and PHP code:
HTML form
<p>Login: <input type="text" name="user" value=""></p>
<p>Password: <input type="password" name="pass" value=""></p>
<p>Search for: <input type="text" name="login"></p>
<input type=submit name="submit" value="Enter">
</form>
PHP script
<?...
$username = htmlspecialchars(trim($_POST["user"]));
$upasswd = htmlspecialchars(trim($_POST["pass"]));
$ldapbind = ldap_bind($ds, $username, $upasswd);
if ($ldapbind):
$filter="(&(objectClass=user)(sAMAccountName=".htmlspecialchars($_REQUEST["login"])."))";
if (!($search=@ldap_search($ds, $ldapconfig['basedn'], $filter))) {
echo("Unable to search ldap server<br>");
echo("msg:'".ldap_error($ds)."'</br>");#check the message again
}
else {
$number_returned = ldap_count_entries($ds,$search);
$info = ldap_get_entries($ds, $search);
echo "<p>The number of entries returned is ". $number_returned."<p><pre>";
for ($i=0; $i<$info["count"]; $i++) {
print_r($info[$i]);
}
echo "</pre>";
}
endif;
?>
The script is intended to output information on the user account passed to the $_REQUEST[“login”] variable.
A regular LDAP query should look like this:
(&(objectClass=user)(sAMAccountName=test_account))The script, however, does not escape special symbols, which can be used by an attacker to abuse the functionality and perform arbitrary searches on the directory server.
An attacker can modify the LDAP request and construct a new one by replacing the logon name with LDAP commands:
(&(objectClass=user)(sAMAccountName=*)(memberof=CN=Domain Admins,CN=Users,DC=testcompany,DC=local))Once executed, the script will return information on all administrative users in Active Directory.
In our scenario, this weakness can be used by an attacker to access potentially sensitive information for later use in other attacks. For example, an attacker can enumerate user accounts and perform a brute-force attack or gain excessive knowledge of network infrastructure, the number of computers and employees, etc.
Depending on the vulnerable application and its functionality, an attacker might be able to gain access to potentially sensitive information, modify or delete data and elevate privileges within the application. In a worst-case scenario, this weakness could lead to full system compromise.
Common Attack Pattern Enumeration and Classification (CAPEC) contains exploitation patterns for this weakness:
❏ CAPEC-136: LDAP Injection
Alternative threat classification from WASC describes this weakness as an attack technique WASC-29 (LDAP Injection).
Software that uses a directory server to store and access information is potentially vulnerable to this weakness. Many corporate applications use SSO functionality based on LDAP and therefore should pay extra attention to the security of such software.
LDAP injections, just like any other code injection weaknesses, can influence the confidentiality, integrity, and availability of the application. Depending on application functionality and usage of LDAP queries, an attacker might be able to read, modify, delete information stored in a directory server or even elevate privileges.
In the case of information disclosure for the unprivileged user, this weakness should be scored as:
5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N] — Medium severity.
In case of unauthorized data manipulation, this weakness should be scored as:
6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L] — Medium severity.
In the case of authentication bypass and privilege escalation, this weakness can be scored as:
9.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H] — Critical severity.
Credits: https://www.immuniweb.com/
Bengali (Bangladesh) · 
English (United States) ·