-[ INFO ]---------------------------------------------------------------------
            Title: LDAP injections
            Author: ka0x
            contact: ka0x01[!]gmail.com
            D.O.M TEAM 2007
            we: ka0x, an0de, xarnuz, s0cratex
            from spain
                                   
-[ INDEX ]---------------------------------------------------------------------
            0x01: Introduction
            0x02: Filters LDAP
            0x03: LDAP injection in Web Applications
            0x04: Links
           
           
---[ 0x01: Introduction ]

The technique of LDAP (Lightweight Directory Access Protocol) is a lightweight
protocol to access the directory service X.500. This protocol works over TCP/IP.
The access protocol LDAP is used to query and modify objects stored.


---[ 0x02: Filters LDAP ]

   
It is quite important to understand how does the LDAP filters work.
FC 4515 (6/2006) (http://tools.ietf.org/html/rfc4515).

Filter = ( filtercomp )
Filtercomp = and / or / not / item
And = & filterlist
Or = | filterlist
Not = ! filter
Filterlist = 1*filter
Item = simple / present / substring
Simple = attr filtertype assertionvalue
Filtertype = "=" /"~="/ ">=" / "<="
Present = attr = *
Substring = attr "=" [initial] * [final]
Initial = assertionvalue
Final = assertionvalue

   
Logical operators:
- AND "&"
- OR "|"
- NOT "!"

Relational operators:
<=, >=, =, ~=

The wildcard "*" It is used to replace characters.
   
Filter example:
(&(objectClass=user)(uid=*)): We return a list of all objects of type user, no matter
which takes the value of the attribute "uid."
 

---[ 0x02: LDAP injection in Web Applications ]

The technique Ldap injection is very similar to SQL injection.
The attack technique is used to operate websites built LDAP judgments directly from
data supplied by the user.

Vulnerable code with comments (by Sacha Faust):

+++++++++++++++++++++++++++++++++++++

line 0: <html>
line 1: <body>
line 2: <%@ Language=VBScript %>
line 3: <%
line 4:     Dim userName
line 5:     Dim filter
line 6:     Dim ldapObj
line 7:
line 8:     Const LDAP_SERVER = "ldap.example"
line 9:
line 10:     userName = Request.QueryString("user")
line 11:
line 12:     if( userName = "" ) then
line 13:         Response.Write("<b>Invalid request. Please specify a valid user name</b><br>")
line 14:         Response.End()
line 15:     end if
line 16:
line 17:
line 18:     filter = "(uid=" + CStr(userName) + ")"        ' searching for the user entry
line 19:
line 20:
line 21:     'Creating the LDAP object and setting the base dn
line 22:     Set ldapObj = Server.CreateObject("IPWorksASP.LDAP")
line 23:     ldapObj.ServerName = LDAP_SERVER
line 24:     ldapObj.DN = "ou=people,dc=spilab,dc=com"
line 25:
line 26:     'Setting the search filter
line 27:     ldapObj.SearchFilter = filter
line 28:
line 29:     ldapObj.Search
line 30:
line 31:     'Showing the user information
line 32:     While ldapObj.NextResult = 1
line 33:         Response.Write("<p>")
line 34:
line 35:         Response.Write("<b><u>User information for : " + ldapObj.AttrValue(0) + "</u></b><br>")
line 36:         For i = 0 To ldapObj.AttrCount -1
line 37:             Response.Write("<b>" + ldapObj.AttrType(i) + "</b> : " + ldapObj.AttrValue(i) + "<br>" )
line 38:         Next
line 39:         Response.Write("</p>")
line 40:     Wend
line 41: %>
line 42: </body>
line 43: </html>

+++++++++++++++++++++++++++++++++++++


In line 10 note userName variable is initialized with the value
the parameter user and then quickly validated to see if the value is zero.
If the value is not zero, the variable userName is used to initialize the
variable filter on line 18.
This new variable is used directly to build an LDAP search to be used in
the call to SearchFilter on line 27
The attacker has full control over what will be consulted on the LDAP server.
You will get the result of the consultation when the code reaches of the line 32 to 40,
all results and its attributes are displayed to the user.

Example 1:
http://website/ldap.asp?user=*

In this example dispatched the character "*" parameter in the "user" which ends
in the variable filter.
This judgment LDAP will show any object that has an attribute uid.
We show all users and their information.

Example 2:
http://website/ldap.asp?user=ka0x)(|(homedirectory=*)

It will show us the path to the user ka0x.
They can do tests with the code before they leave.


---[ 0x03: Links ]

http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
http://es.wikipedia.org/wiki/LDAP
http://www.ldapman.org/


__EOF__

# milw0rm.com [2007-11-04]