Attack Technique 7: LDAP Injection Attack

LDAP Injection Attack: Overview, Techniques, and Mitigation Strategies

Introduction to LDAP

Lightweight Directory Access Protocol (LDAP) is an open-source application protocol designed for directory services authentication and information retrieval. It provides a standardized communication interface between applications and directory services like Microsoft Active Directory (AD).

Key Points:

  • LDAP is a protocol, not a directory service itself.

  • Microsoft Active Directory (AD) uses LDAP to facilitate authentication and data retrieval within a network.

  • LDAP Queries: These are used to retrieve information such as user attributes or group memberships. For example, querying users with “Password never expires” enabled:

    (objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

Attack Technique: LDAP Injection

LDAP Injection is a vulnerability that arises when user input is improperly sanitized before being incorporated into an LDAP query. This allows attackers to manipulate queries and execute unauthorized commands or access sensitive data.

Vulnerability Mechanism

  • Injection Methodology: Attackers append malicious input to LDAP queries, leveraging special characters like *, (, or ).

  • Consequences:

    • Privilege Escalation: Unauthorized access to restricted information.

    • Access Control Bypass: Bypass login mechanisms.

    • Information Disclosure: Access sensitive user or directory data.

LDAP Injection Types and Examples

1. Privilege Escalation

Goal: Gain access to restricted directories or data.

Scenario:

  • A low-privileged user attempts to access secure documents stored in a restricted directory.

Injection Technique:

Information)(security_level=*))(&(directory=documents

Resulting Query:

(&(directory=Information)(security_level=*))(&(directory=Information)(security_level=low))

Explanation:

  • The query allows access to all documents with any security level (security_level=*), bypassing the intended restriction.

2. Access Control Bypass

Goal: Log in without valid credentials.

Scenario:

  • Login authentication query for user "Alice":

    (&(USER=Alice)(PASSWORD=PaSsW0rd!))

Injection Technique:

USER=Alice)(PASSWORD=*))(&

Resulting Query:

(&(USER=Alice)(PASSWORD=*))(&)

Explanation:

  • The query always evaluates to true for username "Alice," bypassing password validation.

3. Information Disclosure

Goal: Retrieve unauthorized data.

Scenario:

  • A product search query:

    (|(type=Notebooks)(type=Stickers))

Injection Technique:

uid=*

Resulting Query:

(|(type=Notebooks)(uid=*))(type=Stickers))

Explanation:

  • The query exposes all user accounts (uid=*), disclosing sensitive directory information.

Mitigation Techniques for LDAP Injection

To safeguard against LDAP injection, organizations must adopt comprehensive input validation and query construction practices.

1. Escaping Input Variables

Proper encoding of user inputs ensures that special characters are sanitized, preventing them from altering query logic.

Implementation:

  • Use LDAP-specific encoding libraries to escape input.

  • Avoid custom encoding logic to reduce the risk of improper sanitization.

Purpose: Prevent unauthorized input from altering LDAP query structures.

2. Distinguished Name (DN) Escaping

Distinguished Names (DNs) are unique identifiers within LDAP. Special characters within DNs, such as \, #, ,, and +, must be escaped to avoid query manipulation.

Example:

cn=John Doe, ou=Engineering, dc=example, dc=com

Risk:

  • Unescaped special characters may cause misinterpretation or unauthorized data access.

Best Practice:

  • Use built-in DN escaping functions in LDAP libraries.

3. Search Filter Escaping

LDAP search filters rely on precise query logic. Characters like *, (, and ) must be escaped to maintain query integrity.

Example:

  • A filter to find entries with specific managers:

    (&(ou=Physics)(|(manager=Freeman Dyson)(manager=Albert Einstein)))

Purpose:

  • Ensure that input within search filters does not introduce unauthorized logic.

Additional Defenses Against LDAP Injection

1. Least Privilege Principle for Binding Accounts

Binding Accounts are used to authenticate and execute queries within LDAP. Reducing their permissions minimizes potential damage.

Implementation:

  • Grant only the permissions required for specific tasks.

  • Regularly audit and review permissions.

Purpose: Restrict the scope of compromised accounts.

2. Enable Secure Bind Authentication

Bind Authentication verifies user credentials during LDAP access.

Secure Options:

  • Use Simple Authentication and Security Layer (SASL) for secure binding.

  • Disable Anonymous and Unauthenticated Bind to prevent unauthorized access.

Purpose: Strengthen access controls by ensuring secure authentication.

3. Allow-List Input Validation

Implement allow-listing to restrict inputs to predefined, safe values.

Techniques:

  • Use regular expressions for pattern matching.

  • Enforce length and data type restrictions.

  • Cross-reference inputs with known safe values.

Purpose: Prevent injection of unauthorized data into LDAP queries.

Conclusion

LDAP Injection is a significant security vulnerability that can lead to unauthorized access, privilege escalation, and information disclosure. By exploiting improperly sanitized inputs, attackers can manipulate LDAP queries and compromise sensitive directory data.

To defend against LDAP Injection:

  1. Sanitize and escape user inputs in all LDAP queries.

  2. Enforce the principle of least privilege for binding accounts.

  3. Implement secure binding and input validation techniques.

By adopting these mitigation strategies, organizations can strengthen their LDAP security and reduce the risk of exploitation, ensuring the integrity and confidentiality of their directory services.

PreviousAttack Technique 6: AS-REP RoastingNextAttack Technique 8: PetitPotam NTLM Relay Attack on a Active Directory Certificate Services (AD CS)

Last updated