LDAP Injection is an attack technique used to exploit web sites that
construct LDAP statements from user-supplied input.
Lightweight Directory Access Protocol (LDAP) is an open-standard
protocol for both querying and manipulating X.500 directory services.
The LDAP protocol runs over Internet transport protocols, such as
TCP. Web applications may use user-supplied input to create custom
LDAP statements for dynamic web page requests.
When a web application fails to properly sanitize user-supplied input,
it is possible for an attacker to alter the construction of an LDAP
statement. When an attacker is able to modify an LDAP statement,
the process will run with the same permissions as the component that
executed the command. (e.g. Database server, Web application
server, Web server, etc.). This can cause serious security problems
where the permissions grant the rights to query, modify or remove
anything inside the LDAP tree.
The same advanced exploitation techniques available in SQL
Injection can also be similarly applied in LDAP Injection.
Example
Vulnerable code with comments:
line 0:
line 1:
line 2: <%@ Language=VBScript %>
line 3: <%
line 4: Dim userName
line 5: Dim filter
line 6: Dim ldapObj
line 7:
line 8: Const LDAP_SERVER = "ldap.example"
line 9:
line 10: userName = Request.QueryString("user")
line 11:
line 12: if( userName = "" ) then
line 13: Response.Write("Invalid request. Please specify a valid
user name
")
line 14: Response.End()
line 15: end if
line 16:
line 17:
line 18: filter = "(uid=" + CStr(userName) + ")" ' searching for the user entry
line 19:
line 20:
line 21: 'Creating the LDAP object and setting the base dn
line 22: Set ldapObj = Server.CreateObject("IPWorksASP.LDAP")
line 23: ldapObj.ServerName = LDAP_SERVER
line 24: ldapObj.DN = "ou=people,dc=spilab,dc=com"
line 25:
line 26: 'Setting the search filter
line 27: ldapObj.SearchFilter = filter
line 28:
line 29: ldapObj.Search
line 30:
line 31: 'Showing the user information
line 32: While ldapObj.NextResult = 1
line 33: Response.Write("")
line 34:
line 35: Response.Write("User information for: " +
ldapObj.AttrValue(0) + "
")
line 36: For i = 0 To ldapObj.AttrCount -1
line 37: Response.Write("" + ldapObj.AttrType(i) +": " +
ldapObj.AttrValue(i) + "
" )
line 38: Next
line 39: Response.Write("
")
line 40: Wend
line 41: %>
line 42:
line 43:
Looking at the code, we see on line 10 that the userName variable is
initialized with the parameter user and then quickly validated to see
if the value is empty. If the value is not empty, the userName is used
to initialize the filter variable on line 18. This new variable is
directly used to construct an LDAP query that will be use in the call to
SearchFilter on line 27. In this scenario, the attacker has
complete control over what will be queried on the LDAP server, and
he will get the result of the query when the code hits line 32 to 40
where all the results and their attributes are displayed back to the
user.
Attack Example
http://example/ldapsearch.asp?user=*
In the example above, we send the * character in the user parameter
which will result in the filter variable in the code to be initialized with
(uid=*). The resulting LDAP statement will make the server return
any object that contains a uid attribute.
References
"LDAP Injection: Are Your Web Applications Vulnerable?", By Sacha Faust - SPI Dynamics
http://www.spidynamics.com/whitepapers/LDAPinjection.pdf
"A String Representation of LDAP Search Filters"
http://www.ietf.org/rfc/rfc1960.txt
"Understanding LDAP"
http://www.redbooks.ibm.com/redbooks/SG244986.html
"LDAP Resources"
http://ldapman.org/
To receive your Free Application
Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $1999.00 for a second LDAP Injection attack vulnerability test.