Re: implementation problem in Microsoft LDAP?

[Timothy.Lyons () predictive com]

Jeremy,

Having just gone round and round with  Redmond on this one, it is my 
understanding that Microsoft does not have any means to set Access Control 
on the RootDSE even if we wanted to.  I believe it's still their position 
that access to the RootDSE should not be restricted and that the RFC 
supports this claim.

I vehemently disagree however...

--Tim






"Jeremy Sanders" <jsanders () newsouthfederal com>
07/02/2001 09:12

 
        To:     <Eliel.Sardanons () philips edu ar>, <focus-ms () securityfocus com>, 
<vuln-dev () securityfocus com>
        cc: 
        Subject:        Re: implementation problem in Microsoft LDAP?


I would think it would depend on the desired permissions of the anonymous 
user. Some LDAP directories are intended for anonymous use, but this 
functionality should be configurable within the directory. I know it is in 
eDirectory's LDAP implementation. The ideal configuration should allow you 
to completely disallow anonymous binding if that is the desired 
configuration.

> > > Sardañons, Eliel <Eliel.Sardanons () philips edu ar> 06/29/01 09:40AM >>>
Hello, I have been looking at the microsoft LDAP service error codes
responses and when I'm not authenticated (anonymous) I can know if an 
object
exists or not. I would like to know if this is an implementation problem. 

Problem 1:

Here we have a log of the saucer program (an ldap client) as you can see,
I'm connected to 192.168.0.1:389 (ldap) anonymously, when I make a search
for a user (or another object) that exist it returns to me a 'LDAP_SUCCES'
but no data in the response (because i'm not logged in). But when I make a
search trying to find a user or another object that doesn't exist it 
returns
a 'No such object'. This can be used by an attacker to gather information
from the windows box, for example if somebody want's to know if  an 
account
named 'test' exists, he can search for that user object and if it returns 
an
ldap_succes the user exist, so he can start trying to brute force that
account.

-------- Saucer LOG --------

/usr/local/ldap/openldap-2.0.4/contrib/saucer# ./saucer -h 192.168.0.1

Bound anonymously to ldap server
saucer dn=> show CN=Administrator,CN=Users,DC=dev,DC=local
Results...
saucer dn=> show CN=Administrators,CN=Users,DC=dev,DC=local 
Results...
Error...
./saucer: No such object
        matched DN: "CN=Users,DC=dev,DC=local"
        additional info: 0000208D: NameErr: DSID-031001C9, problem 2001
(NO_OBJECT), data 0, best match of:
        'CN=Users,DC=dev,DC=local'

saucer dn=> 

----- EOF --------

Problem 2:

Another problem I have seen is that when I use my brute force program
(brute_force_ldap) to try to guess a Windows password and I run 5 or more
instance of my program at the same time like this:

./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_1 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_2 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_3 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_4 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_5 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_6 -l 8 &

the CPU usage in www.victim.com is at 100%!!! And the console is unusable 
in
the windows box. I try this using a none_existent_user and an 
existent_user
and it consumes more resources with non existent users.

So an attacker can use my program as a Distributed Denial Of service 
Attack
(ddos) running it from different machines at the same time with a unique
target. (www.victim.com).

SOLUTIONS:
                 Problem 1:
                                 Return 'Object Not found' if the user has 
no priviliges. 
                 Problem 2:
                                 RST the TCP connection if the user put 
wrong credentials or
introduce a delay in each try.

Eliel C. Sardañons
eliel.sardanons () philips edu ar 
Escuela Tecnica Philips Argentina