I would think it would depend on the desired permissions of the anonymous user. Some LDAP directories are intended for anonymous use, but this functionality should be configurable within the directory. I know it is in eDirectory's LDAP implementation. The ideal configuration should allow you to completely disallow anonymous binding if that is the desired configuration.

>>> Sardañons, Eliel <Eliel.Sardanonsphilips.edu.ar> 06/29/01 09:40AM >>>
Hello, I have been looking at the microsoft LDAP service error codes
responses and when I'm not authenticated (anonymous) I can know if an object
exists or not. I would like to know if this is an implementation problem.

Problem 1:

Here we have a log of the saucer program (an ldap client) as you can see,
I'm connected to 192.168.0.1:389 (ldap) anonymously, when I make a search
for a user (or another object) that exist it returns to me a 'LDAP_SUCCES'
but no data in the response (because i'm not logged in). But when I make a
search trying to find a user or another object that doesn't exist it returns
a 'No such object'. This can be used by an attacker to gather information
from the windows box, for example if somebody want's to know if an account
named 'test' exists, he can search for that user object and if it returns an
ldap_succes the user exist, so he can start trying to brute force that
account.

-------- Saucer LOG --------

/usr/local/ldap/openldap-2.0.4/contrib/saucer# ./saucer -h 192.168.0.1

Bound anonymously to ldap server
saucer dn=> show CN=Administrator,CN=Users,DC=dev,DC=local
Results...
saucer dn=> show CN=Administrators,CN=Users,DC=dev,DC=local
Results...
Error...
./saucer: No such object
        matched DN: "CN=Users,DC=dev,DC=local"
        additional info: 0000208D: NameErr: DSID-031001C9, problem 2001
(NO_OBJECT), data 0, best match of:
        'CN=Users,DC=dev,DC=local'

saucer dn=>

----- EOF --------

Problem 2:

Another problem I have seen is that when I use my brute force program
(brute_force_ldap) to try to guess a Windows password and I run 5 or more
instance of my program at the same time like this:

./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_1 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_2 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_3 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_4 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_5 -l 8 &
./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_6 -l 8 &

the CPU usage in www.victim.com is at 100%!!! And the console is unusable in
the windows box. I try this using a none_existent_user and an existent_user
and it consumes more resources with non existent users.

So an attacker can use my program as a Distributed Denial Of service Attack
(ddos) running it from different machines at the same time with a unique
target. (www.victim.com).

SOLUTIONS:
        Problem 1:
                Return 'Object Not found' if the user has no priviliges.
        Problem 2:
                RST the TCP connection if the user put wrong credentials or
introduce a delay in each try.

Eliel C. Sardañons
eliel.sardanonsphilips.edu.ar
Escuela Tecnica Philips Argentina

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]