Portcullis Security Advisory - 08-010 Vulnerable System: Microsoft Windows Active Directory LDAP Server Vulnerability Title: Microsoft Windows Active Directory LDAP Server Information Disclosure Vulnerability Vulnerability Discovery And Development: Portcullis Security Testing Team Credit For Discovery: Bernardo Damele Assumpcao Guimaraes - Portcullis Computer Security Ltd Affected systems: Microsoft Windows 2000 Server Service Pack 4 Microsoft Windows Server 2003 Service Pack 1 Microsoft Windows Server 2003 Service Pack 2 Details: An information disclosure vulnerability exists in the manner that Microsoft LDAP server responds when binding to the LDAP server. In the case when an invalid password is provided, the server will respond with result code 49 (invalidCredentials) and an error message. A different error message is returned if an invalid username is provided. For an existing user the bind response is similar to: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece For an non-existant user the following error message is returned: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece As you can see, the values 52e and 525 differ. The meaning associated to 52e is 'invalid credentials'. The meaning associated to 525 is 'user not found'. The server can respond with seven other error codes, which makes it possible to infer other information about the status of the account such as "account has expired" or "user account locked". Impact: A successful exploit of this issue can allow an attacker to anonymously enumerate users on the affected system. Exploit: An exploit is available at http://labs.portcullis.co.uk/application/ldapuserenum/ Vendor Response and Recomendations: Block TCP ports 389 and 636 at the perimeter firewall. These ports are used to initiate a connection with the affected component. Blocking it at the enterprise firewall, both inbound and outbound, will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, see TCP and UDP Port Assignments (http://go.microsoft.com/fwlink/?LinkId=21312). For more information about the Windows Firewall, see How to Configure Windows Firewall on a Single Computer (http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/cfgfwall.mspx). Timeline: 2008/10/06 - Vulnerability discovered 2008/10/21 - Internal proof of concept ready 2008/10/23 - Advisory draft ready 2008/10/24 - Initial notification to the vendor 2008/10/28 - Vendor acknowledges notification, case opened 2008/11/05 - Vendor reproduced the issue and the bug fix will be addressed through a Service Pack release 2008/11/07 - Vendor asks to add a mitigations section to the advisory 2008/11/11 - Portcullis adds a Vendor Response and Recomendations section 2008/11/13 - Advisory published in accordance with the vendor Copyright: Copyright © Portcullis Computer Security Limited 2008, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.