| Author | Messages | |
pgt
Posts:24
 | | 11/18/2008 3:21 PM |
| Thanks Brian, Deji.
BTW, why should somebody open LDAP to public. Also wondering even if the
ports are allowed, they'll be only for specific ips/subnets which reduces
the surface.
On Wed, Nov 19, 2008 at 1:21 AM, Akomolafe, Deji <deji@readymaids.com>wrote:
> It is considered a bug that can be exploited to gather information
> necessary to mount a better, and more targetted attack against the
> infrastructure. You can use this bug to enumerate the which account is
> PRESENT in the infrastructure, then you will use that knowledge to use your
> favorite "hacking" tool to target those known accounts.
>
> This bug itself doesn't appear to give you any direct avenue of attack. I
> said "doesn't appear" because I am just going by the public information
> available about the bug. It could be worse, it could be nothing.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> Microsoft MVP - Directory Services
> www.akomolafe.name<http://www.akomolafe.name/> - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
> ________________________________
> From: ActiveDir-owner@mail.activedir.org [
> ActiveDir-owner@mail.activedir.org] On Behalf Of Praveen Thampi [
> mr.praveeng@gmail.com]
> Sent: Tuesday, November 18, 2008 11:35 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] [Fwd: [NT] Microsoft Windows Active Directory LDAP
> Server Information Disclosure Vulnerability]
>
> I am a novice. But can somebody explain why this extended error message is
> a 'vulnerability' .
>
> I mean if I enter wrong pwd for a user few times in a domain, the account
> gets locked out and get the message 'account locked out'. So this means the
> user existed. Can this too be considered as a vulnerability?
>
> On Tue, Nov 18, 2008 at 11:34 PM, Susan Bradley, CPA <sbradcpa@pacbell.net
> <mailto:sbradcpa@pacbell.net>> wrote:
>
>
> -------- Original Message --------
> Subject: [NT] Microsoft Windows Active Directory LDAP Server
> Information Disclosure Vulnerability
> Date: 18 Nov 2008 19:39:05 +0200
> From: SecuriTeam <support@securiteam.com<mailto:support@securiteam.com>>
> To: list@securiteam.com<mailto:list@securiteam.com>
>
>
>
> The following security advisory is sent to the securiteam mailing list, and
> can be found at the SecuriTeam web site: http://www.securiteam.com
> - - promotion
>
> The SecuriTeam alerts list - Free, Accurate, Independent.
>
> Get your security news from a reliable source.
> http://www.securiteam.com/mailinglist.html
> - - - - - - - - -
>
>
>
> Microsoft Windows Active Directory LDAP Server Information Disclosure
> Vulnerability
> ------------------------------------------------------------------------
>
>
> SUMMARY
>
> A vulnerability in Microsoft's Windows Active Directory's LDAP server
> allows remote attackers to discover which usernames are valid and which are
> not.
>
> DETAILS
>
> Affected systems:
> * Microsoft Windows 2000 Server Service Pack 4
> * Microsoft Windows Server 2003 Service Pack 1
> * Microsoft Windows Server 2003 Service Pack 2
>
> An information disclosure vulnerability exists in the manner that Microsoft
> LDAP server responds when binding to the LDAP server. In the case when an
> invalid password is provided, the server will respond with result code 49
> (invalidCredentials) and an error message. A different error message is
> returned if an invalid username is provided.
>
> For an existing user the bind response is similar to:
> 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error,
> data 52e, vece
>
> For an non-existant user the following error message is returned:
> 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error,
> data 525, vece
>
> As you can see, the values 52e and 525 differ. The meaning associated to
> 52e is 'invalid credentials'. The meaning associated to 525 is 'user not
> found'. The server can respond with seven other error codes, which makes it
> possible to infer other information about the status of the account such as
> "account has expired" or "user account locked".
>
> Impact:
> A successful exploit of this issue can allow an attacker to anonymously
> enumerate users on the affected system.
>
> Exploit:
> An exploit is available at <
> http://labs.portcullis.co.uk/application/ldapuserenum/>
> http://labs.portcullis.co.uk/application/ldapuserenum/
>
> Vendor Response and Recomendations:
> * Block TCP ports 389 and 636 at the perimeter firewall.
>
> These ports are used to initiate a connection with the affected component.
>
> Blocking it at the enterprise firewall, both inbound and outbound, will
> help prevent systems that are behind that firewall from attempts to exploit
> this vulnerability. We recommend that you block all unsolicited inbound
> communication from the Internet to help prevent attacks that may use other
> ports. For more information about ports, see TCP and UDP Port Assignments (
> <http://go.microsoft.com/fwlink/?LinkId=21312>
> http://go.microsoft.com/fwlink/?LinkId=21312). For more information about
> the Windows Firewall, see How to Configure Windows Firewall on a Single
> Computer ( <
> http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/cfgfwall.mspx>
>
> http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/cfgfwall.mspx
> ).
>
> Timeline:
> 2008/10/06 - Vulnerability discovered
> 2008/10/21 - Internal proof of concept ready
> 2008/10/23 - Advisory draft ready
> 2008/10/24 - Initial notification to the vendor
> 2008/10/28 - Vendor acknowledges notification, case opened
> 2008/11/05 - Vendor reproduced the issue and the bug fix will be addressed
> through a Service Pack release
> 2008/11/07 - Vendor asks to add a mitigations section to the advisory
> 2008/11/11 - Portcullis adds a Vendor Response and Recomendations section
> 2008/11/13 - Advisory published in accordance with the vendor
>
>
> ADDITIONAL INFORMATION
>
> The information has been provided by Bernardo Damele Assumpcao Guimaraes.
> The original article can be found at: <
> http://www.portcullis.co.uk/294.php> http://www.portcullis.co.uk/294.php
>
>
>
> ========================================
>
> This bulletin is sent to members of the SecuriTeam mailing list. To
> unsubscribe from the list, send mail with an empty subject line and body to:
> list-unsubscribe@securiteam.com<mailto:list-unsubscribe@securiteam.com> In
> order to subscribe to the mailing list, simply forward this email to:
> list-subscribe@securiteam.com<mailto:list-subscribe@securiteam.com>
>
> ==================== ====================
> DISCLAIMER: The information in this bulletin is provided "AS IS" without
> warranty of any kind. In no event shall we be liable for any damages
> whatsoever including direct, indirect, incidental, consequential, loss of
> business profits or special damages.
>
>
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
| | | |
|
|