exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PSA08-010.txt

PSA08-010.txt
Posted Nov 14, 2008
Authored by Bernardo Damele | Site portcullis-security.com

Portcullis Security Advisory - An information disclosure vulnerability exists in the manner that Microsoft LDAP server responds when binding to the LDAP server. In the case when an invalid password is provided, the server will respond with result code 49 (invalidCredentials) and an error message. A different error message is returned if an invalid username is provided.

tags | advisory, info disclosure
SHA-256 | 10233417213d8d65b5b5a8767722479605da8d41d2277ed5635cd913f03bc3e7

PSA08-010.txt

Change Mirror Download
Portcullis Security Advisory - 08-010


Vulnerable System:

Microsoft Windows Active Directory LDAP Server


Vulnerability Title:

Microsoft Windows Active Directory LDAP Server Information Disclosure Vulnerability


Vulnerability Discovery And Development:

Portcullis Security Testing Team


Credit For Discovery:

Bernardo Damele Assumpcao Guimaraes - Portcullis Computer Security Ltd


Affected systems:

Microsoft Windows 2000 Server Service Pack 4
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 Service Pack 2


Details:

An information disclosure vulnerability exists in the manner that Microsoft LDAP server responds when binding to the LDAP server. In the case when an invalid password is provided, the server will respond with result code 49 (invalidCredentials) and an error message. A different error message is returned if an invalid username is provided.

For an existing user the bind response is similar to:
80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece

For an non-existant user the following error message is returned:
80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece

As you can see, the values 52e and 525 differ. The meaning associated to 52e is 'invalid credentials'. The meaning associated to 525 is 'user not found'. The server can respond with seven other error codes, which makes it possible to infer other information about the status of the account such as "account has expired" or "user account locked".


Impact:

A successful exploit of this issue can allow an attacker to anonymously enumerate users on the affected system.


Exploit:

An exploit is available at http://labs.portcullis.co.uk/application/ldapuserenum/


Vendor Response and Recomendations:

Block TCP ports 389 and 636 at the perimeter firewall.

These ports are used to initiate a connection with the affected component.
Blocking it at the enterprise firewall, both inbound and outbound, will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, see TCP and UDP Port Assignments (http://go.microsoft.com/fwlink/?LinkId=21312). For more information about the Windows Firewall, see How to Configure Windows Firewall on a Single Computer (http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/cfgfwall.mspx).


Timeline:

2008/10/06 - Vulnerability discovered
2008/10/21 - Internal proof of concept ready
2008/10/23 - Advisory draft ready
2008/10/24 - Initial notification to the vendor
2008/10/28 - Vendor acknowledges notification, case opened
2008/11/05 - Vendor reproduced the issue and the bug fix will be addressed through a Service Pack release
2008/11/07 - Vendor asks to add a mitigations section to the advisory
2008/11/11 - Portcullis adds a Vendor Response and Recomendations section
2008/11/13 - Advisory published in accordance with the vendor


Copyright:

Copyright © Portcullis Computer Security Limited 2008, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.


Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close