Penetration Testing mailing list archives

RE: LDAP directory

From: "Sacha Faust" <sacha () smugline net>
Date: Thu, 2 Aug 2001 21:09:54 -0400

the problem with LDAP is the fact that no standard is in place for ACL.
Using centralized solutions like the LTAP protocol (
http://ltap.bell-labs.com/ ) solves some of the ACL issues when you are
dealing with a Hybrid LDAP environment ( LTAP actually "solves/add" alot of
things in LDAP I suggess people look into it ). One of the things people
often forget is the fact that LDAP is used alot to create single singon
solutions and some user attributes are used to give information to the
remote service,device ... that is trying to authenticate something.

Those attibutes are very often forgotten and people can use them to do
anything they want.
A good example is a LDAP server that is used in a single signon solutions
that involve Linux and other devices. You would use pam_ldap to do the job
and you need to use the PosixUser ldap object that as multiple attributes
like UID and GID. Those attributes are basically pass along to the PAM
module that use them to give credentials to the user. What happen if a user
change is UID and GID attribute to 0 .... I am only talking about 2 of many
attributes used in this environment and all of them are dangerous. Another
issue to consider is the dynamic groups
and what is the correct synthax to really create a dynamic group that is
exacly what you want.
I've seen alot of dynamic group mess up because of the "unusual" synthax
used.

I played around with "LDAPMiner", which does some basic LDAP tests for

you.

LDAPMiner does check for things I've mention in this e-mail and is design to
recognize the different type of LDAP servers ( only MS Exchange and Netscape
Directory server is detected at the moment ) . I had to stop development of
LDAPMiner for the moment until I have decent access to different LDAP
servers. I am currently writing a multithreaded brute force module for
LDAPMiner but I have no idea when it will be available. If anyone is willing
to give me access to some LDAP servers I will be glad to continue working on
the project.



-----Original Message-----
From: BUGTRAQ [mailto:ivan.buetler () csnc ch]
Sent: Thursday, August 02, 2001 1:56 AM
To: peterraven () lycos com; pen-test () securityfocus com
Subject: RE: LDAP directory


Hi,

I my own opinion, pen-testing an ldap directory is mostly similar to audit a
file-system. You have objects (classes) containing attributes and you have
some objects you want to protect and others you will allow everyone to
access. ldap security will be secure, if you set proper access permissions.
If you just install ldap in it's default configuration, you might have some
troubles.

A major difference between the file-system issue and ldap is the distributed
topic. You have replications and distributed responsibilities. But at the
end, you need to do an administrative "BIND" by "cn=Manager" in order to
change the ldap behaviour as you would need "Domain Admin Rights" to change
the Windows file permissions.

Potential threats are:

- LDAP without SSL (for administration)
- Anonymous BIND contains write permissions
- Hacker tries to replicate by setting up his own LDAP server which he
controls
- Access to confidential data by an anonymous bind
- Access to confidential data by an authenticated bind but bad file
permissions
- Access to the "MANAGER" locally (without LDAP) by console application

I played around with "LDAPMiner", which does some basic LDAP tests for you.
But at the end, I am using simple tools like "GQ" or openldap utilities
"ldapsearch, ldapadd, etc" to do this tests.

Regards

Ivan

-----Original Message-----
From: Peter Raven [mailto:peterraven () lycos com]
Sent: Wednesday, August 01, 2001 3:02 PM
To: pen-test () securityfocus com
Subject: LDAP directory


Hi there,

does anyone have good starting points for pen-testing an LDAP directory
server? I'm looking for a threat analyses, security checklists, tools and
personal experiences especially on the LDAP service; not on the operating
system.

Thanks and greetings
Peter


Get 250 color business cards for FREE!
http://businesscards.lycos.com/vp/fastpath/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

LDAP directory Peter Raven (Aug 01)
- Re: LDAP directory Archive User (Aug 02)
- RE: LDAP directory BUGTRAQ (Aug 02)
  - RE: LDAP directory Sacha Faust (Aug 05)
- <Possible follow-ups>
- RE: LDAP directory Stephen Murphy (Aug 02)
- RE: LDAP directory Sacha Faust (Aug 07)