Anonymous LDAP binds, thoughts on real exposures

From: Philip Cox (phil.cox@systemexperts.com)
Date: Wed Dec 12 2007 - 10:08:46 EST

• Next message: Shenk, Jerry A: "RE: I want the PT list back...."
• Previous message: Carlos Moro García: "Re: Cain & Able man in the middle attack"
• In reply to: Victor DaViking: "Introducing penetrationtests.com - a directory project"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

All,

I was discussing with a colleague about allowing anonymous binds to a
Windows Active directory. The scenario was only internal, arguably trusted,
systems have network level access to the AD/LDAP server.

Given that, I can think of 3 basic classes of exposures:

1. Unauthorized Information leak: Anyone that can bind to the server can
gain SOME level of information access (depends on permissions)

2. Denial of Service: Such as overloading the server with requests once the
anonymous connection is established. One could argue that issuing anonymous
requests, even if they failed, could be used to perform the same basic
denial of service, so this would not be an increased risk due to allowing
anonymous binds

3. Potential exploit of bugs: When/if there is a vulnerability in one of the
underlying API calls to the AD server once a user has authenticated. Thus a
user that would not have authorization to make a certain call to the AD
server as an unauthenticated user, could make the call, and exploit the
vulnerability. For example, lets say the fictitious AD_Run_Object call was
vulnerable to a buffer overflow. An unauthenticated user trying to make the
call would be denied access to the call since they had not authenticated
first. However, an anonymous bind would allow the attacker to make the
AD_Run_Object call, and exploit the vulnerability.

I was thinking that if anonymous binds were required, you could do nothing
about #2 & #3. However, assuring tight AD permission settings could prevent
#1.

I am interested in thoughts of other classes of
attackes/vulnerabilites/exposures that allowing anonymous bind would present
on an INTERNAL network.

Any thoughts are appreciated.

Phil

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Shenk, Jerry A: "RE: I want the PT list back...."
• Previous message: Carlos Moro García: "Re: Cain & Able man in the middle attack"
• In reply to: Victor DaViking: "Introducing penetrationtests.com - a directory project"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:15 EDT