Header Ads

LDAP INJECTION

November 27, 2017 2

LDAP INJECTION


Lightweight Directory Access Protocol (LDAP) is an open and vendor-neutral directory service protocol that runs on a layer above the TCP/IP stack

LDAP Injection is a vulnerability that affects web applications. It can be exploited by sending requests that are not properly analyzed and revised by the web application due to the vulnerability

It provides the appropriate mechanism for accessing and modifying data directories, things that are commonly used today while developing intranet and internet (web) applications


What is LDAP injection?
LDAP injection is basically a server side attack, which could result into leakage of sensitive information about users and hosts represented in an LDAP structure. This is done by manipulating input parameters afterwards passed to internal search, add, and modify functions
LDAP servers store information that is accessed by clients using LDAP sessions (usually with pre-defined time-outs). The most basic actions that are taken once the session is initiated are the adding, deleting and modifying of entries. Other operations that are frequently executed include:

• Bind – to authenticate and specify LDAP the LDAP protocol version.
• Search – to locate and retrieve LDAP directory entries.
• Compare – to test if a names entry contains a given attribute value.
• Extended Operation – an operation used to define unique operations.
• Unbind – close the connection.

From above diagram
LDAP injections are basically crafted queries. Under normal circumstances, normal queries to the LDAP server lead to normal output. But when the malicious attacker sends LDAP statements along with code injections, additional private and sensitive information can be stolen from the LDAP servers.
Advanced LDAP injections can also allow the attacker to enable the execution of arbitrary commands to gain unauthorized permissions and even modify information within the LDAP tree. Besides these common instances, many techniques used in the SQL injection can be implemented also in the LDAP injection.
A successful exploitation of an LDAP injection vulnerability could allow hacker to:
  • Access unauthorized content
  • Evade application restrictions
  • Gather unauthorized informations
  • Add or modify Objects inside LDAP tree structure.


Detecting LDAP Injection
Character
Meaning
*
Wildcard representing >=0 of any characters
(  )
Surrounds an expression
&
Logical "and" (Prefix operator)
|
Logical "or" (Prefix operator)

Expression
Meaning
(&)
Always True
(|)
Always False


Testing For LDAP Injection With An Asterisk (*)
  • Whether the application will reject the character due to input validation
  • Whether the character is interpreted as a wildcard.  You must be alert for interesting changes in application behavior or results.  A successful query when using an asterisk suggests that LDAP Injection is possible.  Depending on the application’s requirements, the return of additional (or multiple) records can mean the asterisk is broadening the criteria of the search.
  • Whether the asterisk is being neutralized.  If there is no error and no results, OR only results matching the asterisk entered, it likely means that the meta-character has no special meaning.
*
*)
*))
*)))

 

Testing for LDAP

The Lightweight Directory Access Protocol (LDAP) is used to store information about users, hosts, and many other objects. LDAP injection is a server side attack, which could allow sensitive information about users and hosts represented in an LDAP structure to be disclosed, modified, or inserted. This is done by manipulating input parameters afterwards passed to internal search, add, and modify functions.

A web application could use LDAP in order to let users authenticate or search other users' information inside a corporate structure. The goal of LDAP injection attacks is to inject LDAP search filters metacharacters in a query which will be executed by the application.
[Rfc2254] defines a grammar on how to build a search filter on LDAPv3 and extends [Rfc1960] (LDAPv2).

An LDAP search filter is constructed in Polish notation, also known as [prefix notation].

This means that a pseudo code condition on a search filter like this:
find("cn=John & userPassword=mypass")
will be represented as:
find("(&(cn=John)(userPassword=mypass))")

Boolean conditions and group aggregations on an LDAP search filter could be applied by using the following metacharacters:
Metachar
Meaning
&
Boolean AND
|
Boolean OR
 !
Boolean NOT
=
Equals
~=
Approx
>=
Greater than
<=
Less than
*
Any character
()
Grouping parenthesis

More complete examples on how to build a search filter can be found in the related RFC.

A successful exploitation of an LDAP injection vulnerability could allow the tester to:
·         Access unauthorized content
·         Evade application restrictions
·         Gather unauthorized informations
·         Add or modify Objects inside LDAP tree structure.

How to Test

 

Example 1: Search Filters

Let's suppose we have a web application using a search filter like the following one:
searchfilter="(cn="+user+")"
which is instantiated by an HTTP request like this:
http://www.example.com/ldapsearch?user=John
If the value 'John' is replaced with a '*', by sending the request:
http://www.example.com/ldapsearch?user=*
the filter will look like:
searchfilter="(cn=*)"
which matches every object with a 'cn' attribute equals to anything.

If the application is vulnerable to LDAP injection, it will display some or all of the users' attributes, depending on the application's execution flow and the permissions of the LDAP connected user.

A tester could use a trial-and-error approach, by inserting in the parameter '(', '|', '&', '*' and the other characters, in order to check the application for errors.

Example 2: Login

If a web application uses LDAP to check user credentials during the login process and it is vulnerable to LDAP injection, it is possible to bypass the authentication check by injecting an always true LDAP query (in a similar way to SQL and XPATH injection ).

Let's suppose a web application uses a filter to match LDAP user/password pair.
searchlogin= "(&(uid="+user+")(userPassword={MD5}"+base64(pack("H*",md5(pass)))+"))";

By using the following values:
user=*)(uid=*))(|(uid=*
 pass=password
the search filter will results in:
searchlogin="(&(uid=*)(uid=*))(|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))";
which is correct and always true. This way, the tester will gain logged-in status as the first user in LDAP tree.




Preventing LDAP injection 

requires defensive programming, sophisticated input validation, dynamic checks and static source code analysis. Incoming data validation can clean client-supplied data of any characters or scripts that could possibly be malicious. Outgoing data validation validates all data returned to the user as an added layer of security. And LDAP configuration implements tight access control on the data in the LDAP directory.

  • Perform input validation: Limit the character set and format to be what your requirements dictate and reject any input that fails to meet your expectations.  Perform input validation on both the client and the server.
  • Neutralize LDAP Meta-characters: The following characters should be “escaped” when they appear within inputs that are integrated into an LDAP query:

They key to preventing LDAP Injection is two-fold:
(
)
< 
> 
&
*
|
=
;
#
\
+
,
 (Blank)
A meta-character is neutralized by preceding the character with a ‘\’ in Linux and Unix, and a ^ in Windows.
A final countermeasure that can be taken is to to whatever degree possible, write your LDAP search filter so that the input value(s) being integrated into the LDAP query appears as far to the right as possible.  This does not prevent injection in itself, but limits the damage that can be done if injection does occur.

LDAP & XPATH Injection tools

Blind XPath Injection Exploitation Tool 
Sample application showing practical approach how to exploit Blind XPath Injection flaw. The tool is intended to be used by IT security researchers and pentesters for educational purposes only. It was first presented at Black Hat 2011 
Download: http://code.google.com

Blind LDAP Injection Exploitation Tool 
Sample application showing practical approach how to exploit Blind LDAP Injection flaw. The tool is intended to be used by IT security researchers and pentesters for educational purposes only. It was first presented at Black Hat 2011. 
Download: http://code.google.com 

Thank you guys ... 
I hope it will helpful for you..

Information showing on this blog is only use for educational purpose.


*Note:This blog never post any illegal hacking activity or article.


Sagargaikwad4385@gmail.com
Ethical Hacker | Web Application Security Testing |CEH v9 | CCNA |WAPT | VAPT | Network security
Twitter : @Sgrdhara Instagram:@sgrdhara
LinkedIn: https://www.linkedin.com/in/sagar-gaikwad-32047696/

Tags:

2 comments:

  1. LDAP InjectionJanuary 28, 2018 at 3:47 AM

    I am glad to find this blog... This blog help to increase my knowledge on LDAP injection. Very informative and helpful blog. Thanks for sharing useful content.

    ReplyDelete

Subscribe to: Post Comments ( Atom )

Recent post

Reflected XSS

 Reflected XSS   Product : Open-AudIT v4.2.0 for Windows   POC:   Open http://localhost/open-audit/index.php/logon   login ...

Powered by Blogger.