Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

implementation problem in Microsoft LDAP?

From: Sardañons, Eliel <Eliel.Sardanons () philips edu ar>
Date: Fri, 29 Jun 2001 11:40:29 -0300
Hello, I have been looking at the microsoft LDAP service error codes
responses and when I'm not authenticated (anonymous) I can know if an object
exists or not. I would like to know if this is an implementation problem. 

Problem 1:

Here we have a log of the saucer program (an ldap client) as you can see,
I'm connected to 192.168.0.1:389 (ldap) anonymously, when I make a search
for a user (or another object) that exist it returns to me a 'LDAP_SUCCES'
but no data in the response (because i'm not logged in). But when I make a
search trying to find a user or another object that doesn't exist it returns
a 'No such object'. This can be used by an attacker to gather information
from the windows box, for example if somebody want's to know if  an account
named 'test' exists, he can search for that user object and if it returns an
ldap_succes the user exist, so he can start trying to brute force that
account.

-------- Saucer LOG --------

/usr/local/ldap/openldap-2.0.4/contrib/saucer# ./saucer -h 192.168.0.1

Bound anonymously to ldap server
saucer dn=> show CN=Administrator,CN=Users,DC=dev,DC=local
Results...
saucer dn=> show CN=Administrators,CN=Users,DC=dev,DC=local       
Results...
Error...
./saucer: No such object
        matched DN: "CN=Users,DC=dev,DC=local"
        additional info: 0000208D: NameErr: DSID-031001C9, problem 2001
(NO_OBJECT), data 0, best match of:
        'CN=Users,DC=dev,DC=local'

saucer dn=> 

----- EOF --------

Problem 2:

Another problem I have seen is that when I use my brute force program
(brute_force_ldap) to try to guess a Windows password and I run 5 or more
instance of my program at the same time like this:

./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_1 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_2 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_3 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_4 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_5 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_6 -l 8 &

the CPU usage in www.victim.com is at 100%!!! And the console is unusable in
the windows box. I try this using a none_existent_user and an existent_user
and it consumes more resources with non existent users.

So an attacker can use my program as a Distributed Denial Of service Attack
(ddos) running it from different machines at the same time with a unique
target. (www.victim.com).

SOLUTIONS:
        Problem 1:
                Return 'Object Not found' if the user has no priviliges. 
        Problem 2:
                RST the TCP connection if the user put wrong credentials or
introduce a delay in each try.

Eliel C. Sardañons
eliel.sardanons () philips edu ar
Escuela Tecnica Philips Argentina
Previous By Date Next
Previous By Thread Next

Current thread: