CodeX
Published in

CodeX

LDAP Injection and Why it Occurs

freestocks on Unsplash

WHAT IS LDAP INJECTION?

LDAP is an open and cross-platform protocol that works over the TCP/IP protocol and other services. It stores data and information such as usernames, passwords, and many different types of information. It helps to store and manage the organization’s information and provides the communication languages that an application requires to send and receive information from directory services. It is a protocol that enables applications to query user information promptly and efficiently. Let us use an example to understand better what we’re talking about.

Think about sending an email to a new hire and then printing a copy of that communication on a new printer, which is made feasible by the LDAP directory services system. Because it is a fairly lightweight protocol, it does not consume many system resources.

Why is it considered a severe vulnerability?

An attacker can inject malicious code into an LDAP query to gain unauthorized access to information that could result in information disclosure, data manipulation, or theft. When a web application does not sanitize user-supplied input, an attacker can construct an LDAP query and inject it into the input field, which will run as the same component if a command is executed. An LDAP injection can result in a significant security risk if the application runs with the admin’s permission. These queries can change and remove anything within the LDAP tree if the application has been running with this permission. Many businesses rely on LDAP services for their day-to-day operations, and a successful LDAP injection attack can yield important information and can be used to launch additional attacks against systems and applications.

Source

Basically, LDAP injection has two approaches.

Different Issues that can be exploited through LDAP

Authentication Bypass

User authentication and authorization are often performed using directory services; hence, the most fundamental LDAP injection attacks try to circumvent authentication and authorization. Take, for example, the following query, which performs the authentication using the username and password provided.

If a non-malicious user enters their username and password, the query will look like this. The authentication will be successful if the username and password are both valid.

If the result of this query is true, the user and password combination in question exists in the directory, and the user is logged in. The following is an example of how an attacker can use LDAP filter code as the user ID to create a filter that is always true: for example:

This may allow the attacker to access the system even if the username or password is not genuine.

Information disclosure

An attacker could inject LDAP filter code into a vulnerable application that uses LDAP filters to provide shared resources, such as printers, scanners, or other resources, such as IP phones. In this case, an attacker could list all of the resources in the organization’s directory if the application is vulnerable. Consider the following filter, which is supposed to list printers and scanners, but which has been built in a dangerous manner:

Alternatively, suppose the attacker knows that userID is used for user names in the directory and that they can inject another value in place of a printer. In that case, they might inject the following code:

This will list all printer and user objects, and the server will ignore the scanner part (only the first complete filter will be processed).

Access control bypass

There are two input fields on every login page. There are two of them: one for the username and one for the password. There are two inputs from the user: USER(Uname) and PASSWORD (Pwd). The user/password pair is provided by the client. In order to verify the existence of this pair, LDAP creates search criteria and sends them to the LDAP server for validation.

An attacker can enter a valid username (such as Jitendra) while injecting the appropriate sequence after the name. In this technique, they can successfully circumvent the password check. Any string can be used as the Pwd value if you know the username to which you are referring. When this happens, the following query is sent to the LDAP server:

The LDAP server processes only the first filter. The query processes only the (&(USER=jitendra)(&) query. Since this query is always correct, the attacker enters the system without the proper password.

Elevation of Privileges

Some queries return a list of all documents visible to users with a low degree of security enabled. For example, the directory /Information/Reports, /Information/upcoming projects, and so on contain such files. The “Information” section contains the information entered by the user for the first parameter. All of these documents are classified as having a “Low” level of security. The value for the second parameter is represented by the “Low” part of the name. This also allows the hacker to gain access to high-security levels of information. An injection that looks something like this is required by the hacker to accomplish his goal:

This injection results in this filter:

If you’ve been paying attention, you’re probably aware that the LDAP server handles the first filter. The second filter is not taken into consideration. The query that is processed is (&(directory=Information)(privileges=*)). The query that is processed is There is no regard for the (&(directory=Information)(priviliges=low)) directive. That’s how hackers see a list of documents that are normally only accessible by users with the highest level of security permissions. Even if the hacker does not have access to this information, he or she is attempting to gain access to it.

Information Disclosure

Some resource explorers let a user know exactly which resource is available in the system. For example, a website dedicated to selling clothing. The user can look for a specific shirt or pants and see if they are available for sale. In this situation OR LDAP Injections are used:

Both Resource1 and Resource2 display information about the different types of resources available in the system. All of the trouser and track-suits that are available for purchase in the system are displayed through the resources Resource1=trouser and Resource2=track-suits. How do hackers take use of this? By inserting (uid=*) into Resource1=Jeans, we can make a difference. The following query is then submitted to the server:

The LDAP server then shows all the jeans and user objects.

Conclusion:

However, although the LDAP directory services protocol is an open-source protocol, if it is not implemented properly, it can lead to a variety of problems such as authentication bypass, information disclosure, and other concerns. As a result, it is critical that the LDAP protocol is implemented correctly; otherwise, important information about the company may be compromised.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Security Lit Limited

Security Lit Limited

669 Followers

We envision a world that is free of cybercrimes and security risks. Driven by our core values- Ethics, Integrity and Collaboration