Wednesday, October 17, 2007

One Of The Code Injection Attack: LDAP Injection

LDAP Injection:

LDAP Injection is an attack technique used to exploit web sites that construct LDAP statements from invalidated user supplied input. Using this attack, the attacker can execute arbitrary statements against the directory services. Simply, LDAP injection attack exploits vulnerabilities in input validation to run arbitrary LDAP statements against information directories. LDAP Injection is possible when an application constructs dynamic LDAP statements by using invalidated/un-sanitized user input to access directory services.

What Is LDAP?

Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for both querying and manipulating directory services running over TCP/IP. LDAP was designed at the University of Michigan to adapt a complex enterprise directory system (called X.500) to the modern Internet. Just like any Database Management System is used to process queries and updates to a relational database, an LDAP server is used to process queries and updates to an LDAP information directory. LDAP session starts whenever a client connects to an LDAP server. After establishing a connection with the LDAP server the client sends operation requests to the server, and the server sends responses in turn. The server may send the responses in any order and with few exceptions the client need not wait for a response before sending the next request. The LDAP protocol is both cross-platform and standards-based and LDAP directory servers store their data hierarchically, LDAP directories are heavily optimized for read performance. LDAP allows you to securely delegate read and modification authority based on your specific needs using Access Control Instances(ACIs).

In Detail:

LDAP Injection attacks are not as common as the other types of injection attacks like SQL Injection. But, an LDAP Injection could occur anywhere that the underlying code could use some type of invalidated user input for any LDAP searches, or queries.

The most widely use of LDAP in web applications is to enable users to easily search for specific data on the Internet. For Example, LDAP-enabled Web application searches specific information about a user by accepting the user name from the user and uses it in a search query. The underlying code would take this search query information and generate the LDAP query dynamically that will be used to search the LDAP database. The search query within the code may like below:

String uName = txtSearch.Text
String searchQuery = "(cn=" + CStr(uName) + ")"
ldapObj.DN = "ou=customers,dc=example,dc=com"
ldapObj.SearchFilter = searchQuery

If the variable uName is not properly validated, an LDAP injection could be possible. Suppose an attacker can use this vulnerability in any one of the following ways, but not limited to:
  • If an attacker enters * as an input, then the resulting LDAP statement will make the server return any object that contains a “cn” attribute, simply this will return every username in the LDAP database.
  • If an attacker enters the input as xxx)((acno=*), this results the underlying LDAP search query like (cn=xxx)((acno=*) ) which would reveal the users xxx account number.
There are so many other possibilities that an attacker can perform depending on the way the LDAP query constructed and the resulting actions by that query. An attacker can start the attack by sending a few requests with unusual characters to know how the application reacts to them and to identify the type of validation performed within the code of the target application. Later the attacker continues his attack by reverse-engineering the structure of the LDAP query to determine how the user-supplied data is used to perform the search. Few applications use LDAP queries to authenticate users, in such a case the authentication mechanism can be easily bypassed.

Countermeasures / Preventions:

LDAP Injection can be prevented in the same way as other code injection attacks since LDAP injection attack is one of the code injection attacks.
Input Validation: It is the best measure to defend applications from LDAP injection attacks. The underlying code needs to verify the correct input using a white list to ensure that the application does accept only legitimate input. If the input is verified against a white list using a regular expression then the malicious input could be rejected.
Also, all data returned to the user should be validated and the amount of data returned by the queries should be restricted as an added layer of security.
Please refer to my previous posting on
Input Validation for more details.
LDAP Server Configuration: Implementing tight access control on the data in the LDAP directory is vital when configuring the permissions on user objects. The access level used by the Web application to connect to the LDAP server should be restricted to the minimum required. In addition, the LDAP server should not be directly exposed on the Internet, thereby reducing the attack surface area.

Add to Technorati Favorites

2 comments:

Anonymous said...

Hi, that kind of attacks using LDAP Injection are based in the work of Sacha Faust, but it´s an old work using a special old environment. In BH EU 2008 a most very modern work was published about this topic and with a lot of good examples.

LDAP Injection & Blind LDAP Injection

Cheers!

PS: Good Blogging!

Anonymous said...

It was rather interesting for me to read this post. Thanks for it. I like such themes and anything that is connected to them. I definitely want to read a bit more soon.