Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20915
HistoryNov 24, 2008 - 12:00 a.m.

[NT] Microsoft Windows Active Directory LDAP Server Information Disclosure Vulnerability

2008-11-2400:00:00
vulners.com
6
JSON

The following security advisory is sent to the securiteam mailing list, and can be found at the
SecuriTeam web site: http://www.securiteam.com

    • promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

Microsoft Windows Active Directory LDAP Server Information Disclosure
Vulnerability

SUMMARY

A vulnerability in Microsoft's Windows Active Directory's LDAP server
allows remote attackers to discover which usernames are valid and which
are not.

DETAILS

Affected systems:

  • Microsoft Windows 2000 Server Service Pack 4
  • Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003 Service Pack 2

An information disclosure vulnerability exists in the manner that
Microsoft LDAP server responds when binding to the LDAP server. In the
case when an invalid password is provided, the server will respond with
result code 49 (invalidCredentials) and an error message. A different
error message is returned if an invalid username is provided.

For an existing user the bind response is similar to:
80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error,
data 52e, vece

For an non-existant user the following error message is returned:
80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error,
data 525, vece

As you can see, the values 52e and 525 differ. The meaning associated to
52e is 'invalid credentials'. The meaning associated to 525 is 'user not
found'. The server can respond with seven other error codes, which makes
it possible to infer other information about the status of the account
such as "account has expired" or "user account locked".

Impact:
A successful exploit of this issue can allow an attacker to anonymously
enumerate users on the affected system.

Exploit:
An exploit is available at
<http://labs.portcullis.co.uk/application/ldapuserenum/&gt;
http://labs.portcullis.co.uk/application/ldapuserenum/

Vendor Response and Recomendations:

  • Block TCP ports 389 and 636 at the perimeter firewall.

These ports are used to initiate a connection with the affected component.

Blocking it at the enterprise firewall, both inbound and outbound, will
help prevent systems that are behind that firewall from attempts to
exploit this vulnerability. We recommend that you block all unsolicited
inbound communication from the Internet to help prevent attacks that may
use other ports. For more information about ports, see TCP and UDP Port
Assignments ( <http://go.microsoft.com/fwlink/?LinkId=21312&gt;
http://go.microsoft.com/fwlink/?LinkId=21312&#41;. For more information about
the Windows Firewall, see How to Configure Windows Firewall on a Single
Computer (
<http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/cfgfwall.mspx&gt;
http://www.microsoft.com/technet/security/smallbusiness/prodtech/windowsxp/cfgfwall.mspx&#41;.

Timeline:
2008/10/06 - Vulnerability discovered
2008/10/21 - Internal proof of concept ready
2008/10/23 - Advisory draft ready
2008/10/24 - Initial notification to the vendor
2008/10/28 - Vendor acknowledges notification, case opened
2008/11/05 - Vendor reproduced the issue and the bug fix will be addressed
through a Service Pack release
2008/11/07 - Vendor asks to add a mitigations section to the advisory
2008/11/11 - Portcullis adds a Vendor Response and Recomendations section
2008/11/13 - Advisory published in accordance with the vendor

ADDITIONAL INFORMATION

The information has been provided by Bernardo Damele Assumpcao Guimaraes.
The original article can be found at:
<http://www.portcullis.co.uk/294.php&gt; http://www.portcullis.co.uk/294.php

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
[email protected]
In order to subscribe to the mailing list, simply forward this email to:
[email protected]

====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages.

JSON