How To Exploit LDAP Injection?


What is LDAP Injection?

LDAP injection is a form of a web attack in which an attacker exploits the website that construct LDAP statements from the inputs supplied by the user.

Exploiting LDAP Injection
LDAP Injection


According to Wikipedia Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. LDAP was originally intended to be a lightweight alternative protocol for accessing X.500 directory services through the simpler (and now widespread) TCP/IP protocol stack. This model of directory access was borrowed from the DIXIE and Directory Assistance Service protocols.

When an web application is unable to properly sanitize the inputs provided by the user, it is possible for an attacker to alter the LDAP statements, this can raise serious security problems and can help the attacker to add/modify the LDAP tree. LDAP injection is a bit similar to SQL Injection attacks.



Example


Vulnerable code :
 line   1 using System;
 line   2 using System.Configuration;
 line   3 using System.Data;
 line   4 using System.Web;
 line   5 using System.Web.Security;
 line   6 using System.Web.UI;
 line   7 using System.Web.UI.HtmlControls;
 line   8 using System.Web.UI.WebControls;
 line   9 using System.Web.UI.WebControls.WebParts;
 line  10 
 line  11 using System.DirectoryServices;
 line  12 
 line  13 public partial class _Default : System.Web.UI.Page 
 line  14 {
 line  15     protected void Page_Load(object sender, EventArgs e)
 line  16     {
 line  17         string userName;
 line  18         DirectoryEntry entry;
 line  19 
 line  20         userName = Request.QueryString["user"];
 line  21 
 line  22         if (string.IsNullOrEmpty(userName))
 line  23         {
 line  24             Response.Write("<b>Invalid request. Please specify valid user name</b></br>");
 line  25             Response.End();
 line  26 
 line  27             return;
 line  28         }
 line  29 
 line  30         DirectorySearcher searcher = new DirectorySearcher();
 line  31 
 line  32         searcher.Filter = "(&(samAccountName=" + userName + "))";
 line  33 
 line  34         SearchResultCollection results = searcher.FindAll();
 line  35 
 line  36         foreach (SearchResult result in results)
 line  37         {
 line  38             entry = result.GetDirectoryEntry();
 line  39 
 line  40             Response.Write("<p>");
 line  41             Response.Write("<b><u>User information for : " + entry.Name + "</u></b><br>");
 line  42 
 line  43             foreach (string proName in entry.Properties.PropertyNames)
 line  44             {
 line  45                 Response.Write("<br>Property : " + proName);
 line  46 
 line  47                 foreach( object val in entry.Properties[proName] )
 line  48                 {
 line  49                     Response.Write("<br>Value: " + val.ToString());
 line  50                 }
 line  51             }
 line  52 
 line  53             Response.Write("</p>");
 line  54         }
 line  55     }
 line  56 }


The above codes are vulnerable to LDAP Injection, you must be thinking what makes the above code vulnerable to LDAP injection?  So after looking at the codes, you will notice that on Line 20 that the variable userName is initilaized with the value user and is checked if the value is empty or not. On line 32, the userName is used to initialize the filter property. 
In the above example, an attacker would have the complete control over the requests and the queries made to the LDAP server, and he will get the result of all the queries.

Lets take another example to understand the LDAP injection properly.
Example:
<input type="text" size=10 name="name">Enter the name you want to search</input>
Take for example a simple HTML page that searches for the inputted username. The above code will search for the name, and will generate the following LDAP query.

String ldapSearchQuery = "(cn=" + $username + ")";
System.out.println(ldapSearchQuery);

If the variable $username is not properly sanitized, LDAP injection could take place like if the attacker search * instead of a name, then it will return every username stored in the LDAP database. If the user puts in an mike)(|(password=*). This will create a ldap search query like (cn=mike)(|(password=*) ) Which would return the users mike password from the database.


Fixing LDAP Injection

To fix LDAP Injection, the user inputs must be properly sanitized and filtered, the user input should be first verified, and the wrong inputs must be rejected so that the user may enter the correct input. Users must be restricted to use characters like * () |









How To Exploit LDAP Injection? How To Exploit LDAP Injection? Reviewed by Almas Malik on 16:47 Rating: 5

No comments:

Powered by Blogger.