CVE-2023–4506 & CVE-2023–4505: LDAP passback on miniOrange plugins
TLDR
I found two LDAP passback vulnerabilities on miniorange LDAP plugins.
About miniorange plugins
The Staff/Employee Business Directory for Active Directory plugin is used to perform an LDAP search and display the Staff / Employees present in your Active Directory on a WordPress site using a shortcode. The users / staff / employee details will be fetched from the Active Directory dynamically. That means the users will not be created in WordPress, and neither will their information be stored. The plugin will seamlessly allow you to perform a Staff / Employee search through your business directory, employee directory, staff directory, or any other Active Directory implementations from your WordPress site and display the information you would like to see.
Plugins affected
- Active Directory Integration for Intranet Sites WordPress
- Staff / Employee Business Directory for Active Directory
Overview
Some time ago while learning some attack techniques related to Active Directory I discovered the concept of LDAP pass back and incorporated it into my testing repertoire.
About a month ago I found an asset inside a bugbounty program that made use of a Wordpress plugin to perform authentication over LDAP and I decided to install it to test if I found any exploitable vulnerability in the context of the program.
While the only thing that fell within the scope of it was an information disclosure, I found a number of extra vulnerabilities that could exploit an attacker as is the case of these two LDAP pass backs.
What is LDAP Pass-Back?
LDAP Pass-Back is an attack that exploits how some systems authenticate users to a directory service such as LDAP (Lightweight Directory Access Protocol).
Generally, even from the administration panel of devices that use LDAP for authentication is not possible to recover the password of the LDAP account used for authentication. This attack exploits the possibility of changing the host against which the device tries to authenticate by making it authenticate against a system controlled by the attacker, thus obtaining the credentials used by the application.
PoC
Active Directory Integration for Intranet Sites Wordpress (CVE-2023–4506)
Firstly this is the configuration panel accessible from the plugin interface, the entry point we are interested in this case is the one of the URL:
An attacker after accessing the service by any means could change this URL to a rogue LDAP server set up by him, where he could retrieve the credentials in plain text.
To setup it we can either set up an LDAP server from scratch on a VPS, or we can use this dockerized version that I uploaded a few months ago to GitHub (https://github.com/pedrojosenavasperez/ldap-passback-docker)
Once deployed on the server controlled by the attacker, we only have to test the connection with the button provided by the plugin, and we will see how the credentials in plain text reach the server controlled by the attacker.
Staff / Employee Business Directory for Active Directory (CVE-2023–4505)
Quite similar to the previous one
An attacker after accessing the service by any means could change this URL to a rogue LDAP server set up by him, where he could retrieve the credentials in plain text.
When we hit “Test Connection”, we get the credentials in plain text in our rogue LDAP server.
Solution
At this point miniorange has decided not to patch the vulnerability despite a long thread of communications with them explaining the problem and proposing solutions.
According to them, an attacker with access to WordPress should be able to access LDAP as well and the only mitigation they propose is to disable LDAP in favor of LDAPS on the network, which does not provide any protection against this attack.
