Re: implementation problem in Microsoft LDAP?

["Laura A. Robinson" <lrobinson () intellimark-it com>]

Just out of curiosity, when AD was installed, was "Permissions compatible
with pre-Windows 2000 <yada yada yada>" left selected?

Laura Robinson
----- Original Message -----
From: "Jeremy Sanders" <jsanders () newsouthfederal com>
To: <Eliel.Sardanons () philips edu ar>; <focus-ms () securityfocus com>;
<vuln-dev () securityfocus com>
Sent: Monday, July 02, 2001 9:12 AM
Subject: Re: implementation problem in Microsoft LDAP?


I would think it would depend on the desired permissions of the anonymous
user. Some LDAP directories are intended for anonymous use, but this
functionality should be configurable within the directory. I know it is in
eDirectory's LDAP implementation. The ideal configuration should allow you
to completely disallow anonymous binding if that is the desired
configuration.

> > > Sardañons, Eliel <Eliel.Sardanons () philips edu ar> 06/29/01 09:40AM >>>
Hello, I have been looking at the microsoft LDAP service error codes
responses and when I'm not authenticated (anonymous) I can know if an object
exists or not. I would like to know if this is an implementation problem.

Problem 1:

Here we have a log of the saucer program (an ldap client) as you can see,
I'm connected to 192.168.0.1:389 (ldap) anonymously, when I make a search
for a user (or another object) that exist it returns to me a 'LDAP_SUCCES'
but no data in the response (because i'm not logged in). But when I make a
search trying to find a user or another object that doesn't exist it returns
a 'No such object'. This can be used by an attacker to gather information
from the windows box, for example if somebody want's to know if  an account
named 'test' exists, he can search for that user object and if it returns an
ldap_succes the user exist, so he can start trying to brute force that
account.

-------- Saucer LOG --------

/usr/local/ldap/openldap-2.0.4/contrib/saucer# ./saucer -h 192.168.0.1

Bound anonymously to ldap server
saucer dn=> show CN=Administrator,CN=Users,DC=dev,DC=local
Results...
saucer dn=> show CN=Administrators,CN=Users,DC=dev,DC=local
Results...
Error...
./saucer: No such object
        matched DN: "CN=Users,DC=dev,DC=local"
        additional info: 0000208D: NameErr: DSID-031001C9, problem 2001
(NO_OBJECT), data 0, best match of:
        'CN=Users,DC=dev,DC=local'

saucer dn=>

----- EOF --------

Problem 2:

Another problem I have seen is that when I use my brute force program
(brute_force_ldap) to try to guess a Windows password and I run 5 or more
instance of my program at the same time like this:

./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_1 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_2 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_3 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_4 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_5 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_6 -l 8 &

the CPU usage in www.victim.com is at 100%!!! And the console is unusable in
the windows box. I try this using a none_existent_user and an existent_user
and it consumes more resources with non existent users.

So an attacker can use my program as a Distributed Denial Of service Attack
(ddos) running it from different machines at the same time with a unique
target. (www.victim.com).

SOLUTIONS:
Problem 1:
Return 'Object Not found' if the user has no priviliges.
Problem 2:
RST the TCP connection if the user put wrong credentials or
introduce a delay in each try.

Eliel C. Sardañons
eliel.sardanons () philips edu ar
Escuela Tecnica Philips Argentina