InfoSecPro.com - Computer, network, application and physical security consultants.

LDAP Injection

LDAP Injection is an attack technique used to exploit web sites that construct LDAP statements from user-supplied input.
Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for both querying and manipulating X.500 directory services. The LDAP protocol runs over Internet transport protocols, such as TCP. Web applications may use user-supplied input to create custom LDAP statements for dynamic web page requests.

When a web application fails to properly sanitize user-supplied input, it is possible for an attacker to alter the construction of an LDAP statement. When an attacker is able to modify an LDAP statement, the process will run with the same permissions as the component that executed the command. (e.g. Database server, Web application server, Web server, etc.). This can cause serious security problems where the permissions grant the rights to query, modify or remove anything inside the LDAP tree.

The same advanced exploitation techniques available in SQL Injection can also be similarly applied in LDAP Injection.

Example Vulnerable code with comments: line 0: <html> line 1: <body> line 2: <%@ Language=VBScript %> line 3: <% line 4: Dim userName line 5: Dim filter line 6: Dim ldapObj line 7: line 8: Const LDAP_SERVER = "ldap.example" line 9: line 10: userName = Request.QueryString("user") line 11: line 12: if( userName = "" ) then line 13: Response.Write("Invalid request. Please specify a valid user name ") line 14: Response.End() line 15: end if line 16: line 17: line 18: filter = "(uid=" + CStr(userName) + ")" ' searching for the user entry line 19: line 20: line 21: 'Creating the LDAP object and setting the base dn line 22: Set ldapObj = Server.CreateObject("IPWorksASP.LDAP") line 23: ldapObj.ServerName = LDAP_SERVER line 24: ldapObj.DN = "ou=people,dc=spilab,dc=com" line 25: line 26: 'Setting the search filter line 27: ldapObj.SearchFilter = filter line 28: line 29: ldapObj.Search line 30: line 31: 'Showing the user information line 32: While ldapObj.NextResult = 1 line 33: Response.Write("") line 34: line 35: Response.Write("User information for: " + ldapObj.AttrValue(0) + " ") line 36: For i = 0 To ldapObj.AttrCount -1 line 37: Response.Write("" + ldapObj.AttrType(i) +": " + ldapObj.AttrValue(i) + " " ) line 38: Next line 39: Response.Write("") line 40: Wend line 41: %> line 42: </body> line 43: </html> Looking at the code, we see on line 10 that the userName variable is initialized with the parameter user and then quickly validated to see if the value is empty. If the value is not empty, the userName is used to initialize the filter variable on line 18. This new variable is directly used to construct an LDAP query that will be use in the call to SearchFilter on line 27. In this scenario, the attacker has complete control over what will be queried on the LDAP server, and he will get the result of the query when the code hits line 32 to 40 where all the results and their attributes are displayed back to the user.

Attack Example
http://example/ldapsearch.asp?user=*

In the example above, we send the * character in the user parameter which will result in the filter variable in the code to be initialized with (uid=*). The resulting LDAP statement will make the server return any object that contains a uid attribute.

References
"LDAP Injection: Are Your Web Applications Vulnerable?", By Sacha Faust - SPI Dynamics
http://www.spidynamics.com/whitepapers/LDAPinjection.pdf

"A String Representation of LDAP Search Filters"
http://www.ietf.org/rfc/rfc1960.txt

"Understanding LDAP"
http://www.redbooks.ibm.com/redbooks/SG244986.html

"LDAP Resources"
http://ldapman.org/

To receive your Free Application Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $1999.00 for a second LDAP Injection attack vulnerability test.

Business Name:

Contact Information:

Email Address:

URL or IP address: