{"id":1403,"date":"2025-01-04T00:23:31","date_gmt":"2025-01-04T00:23:31","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1403"},"modified":"2025-01-04T00:23:31","modified_gmt":"2025-01-04T00:23:31","slug":"critical-windows-ldap-flaw-could-lead-to-crashed-servers-rce-attacks","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1403","title":{"rendered":"Critical Windows LDAP flaw could lead to crashed servers, RCE attacks"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Researchers have published a proof-of-concept exploit for a pair of Windows Lightweight Directory Access Protocol (LDAP) flaws that could lead to server crashes or remote code execution (RCE) on Windows servers.<\/p>\n

\u201cActive Directory Domain Controllers (DCs) are considered to be one of the crown jewels in organizational computer networks,\u201d noted researchers at security firm SafeBreach, who investigated the flaws. \u201cVulnerabilities found in DCs are usually much more critical than those found in usual workstations. The ability to run code on a DC or crash Windows servers heavily affects network security posture.\u201d<\/p>\n

The vulnerabilities, designated CVE-2024-49112<\/a> (severity 9.8 out of 10) and CVE-2024-49113<\/a> (severity 7.5), were patched in Microsoft\u2019s December 2024 Patch Tuesday updates, with few details. However, this week SafeBreach published a detailed analysis<\/a> of the flaws, along with a proof-of-concept exploit of CVE-2024-49113 that the firm\u2019s researchers said affects any unpatched Windows server, not just domain controllers. The only requirement is that the DNS server on the victim DC has internet connectivity.<\/p>\n

It dubbed the exploit \u201cLDAPNightmare.\u201d<\/p>\n

Although Microsoft has published virtually nothing about CVE-2024-49113, its FAQ for CVE-2024-49112<\/a> provided additional information about the flaw:<\/p>\n

\u201cA remote unauthenticated attacker who successfully exploited this vulnerability would gain the ability to execute arbitrary code within the context of the LDAP service. However successful exploitation is dependent upon what component is targeted.<\/p>\n

In the context of exploiting a domain controller for an LDAP server, to be successful an attacker must send specially crafted RPC calls to the target to trigger a lookup of the attacker\u2019s domain to be performed in order to be successful.<\/p>\n

In the context of exploiting an LDAP client application, to be successful an attacker must convince or trick the victim into performing a domain controller lookup for the attacker\u2019s domain or into connecting to a malicious LDAP server. However, unauthenticated RPC calls would not succeed.\u201d<\/p>\n

Based on that information, SafeBreach directed its efforts toward executables and dynamic link libraries (DLLs) that implement LDAP client logic, settling on lsass.exe or one of the DLLs it loads as the likely location for the bug.<\/p>\n

After the researchers isolated the offending DLL \u2014 widap32.dll \u2014 they found a way to trick the victim into sending an LDAP request to the attacker\u2019s domain and returned a response that crashed lsass.exeand the entire operating system. (See the analysis for additional details<\/a>.)<\/p>\n

The researchers are now working on another exploit that doesn\u2019t crash the system, instead allowing RCE.<\/p>\n

To make life more interesting for infosec pros, Microsoft noted in its FAQ that an attacker could use inbound RPC tunnels to exploit the vulnerabilities. It recommended that customers who can\u2019t patch immediately prevent DCs from accessing the internet or disallow inbound RPC from untrusted networks, noting, \u201capplying the mitigations will decrease the risk of an attacker successfully convincing or tricking a victim into connecting to a malicious server. If a connection is made, the attacker could send malicious requests to the target over SSL.\u201d<\/p>\n

It added, however, \u201capplying both configurations provides an effective defense-in-depth against this vulnerability.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Researchers have published a proof-of-concept exploit for a pair of Windows Lightweight Directory Access Protocol (LDAP) flaws that could lead to server crashes or remote code execution (RCE) on Windows servers. \u201cActive Directory Domain Controllers (DCs) are considered to be one of the crown jewels in organizational computer networks,\u201d noted researchers at security firm SafeBreach, […]<\/p>\n","protected":false},"author":0,"featured_media":1404,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1403","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1403"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1403"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1403\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1404"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1403"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1403"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1403"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}