Shulou(Shulou.com)05/31 Report--

This article examines "LDAP NULL bind causes login to bypass vulnerability analysis and fix what is". The content is detailed and easy to understand, and friends who are interested in "LDAP NULL bind causes login to bypass loophole analysis and repair plan" can follow the editor's train of thought to read it slowly and deeply. I hope it will be helpful to everyone after reading. Let's follow the editor to learn more about what LDAP NULL bind causes login to bypass vulnerability analysis and fix.

Anonymous binding of LDAP NULL bind causes login to bypass vulnerability analysis and repair scenarios I. background 1.1LDAP and authentication process

LDAP lightweight Directory access Protocol is an open, neutral, industry-standard application protocol that provides access control and maintains distributed directory information through the IP protocol. It has excellent read performance, but poor write performance.

As an open Internet standard, LDAP supports cross-platform, and is widely recognized and used in the industry. It only needs simple configuration to achieve authentication interaction with the server, and it is very convenient to achieve unified LDAP authentication services, such as our daily use of sso.

LDAP bind binding can be understood as a process of login authentication. In general, when authenticating according to LDAP, one of the following three methods is used to determine whether the login is successful:

Bind to the LDAP server using the user name and password of the LDAP user

The most common simple code implementation, which is also commonly used in third-party applications

Retrieve the user's entry in LDAP, and then compare the password entered by the user with the password attribute in the retrieved LDAP record

It is rare for a LDAP server to read the password attribute.

"twice binding" verification method

It is also common for LDAP servers that support anonymous binding to perform anonymity for the first time and submit identity information for binding the second time.

1.2 NULL BIND

Also known as Anonymous bind, unlike anonymous access, anonymous binding is not considered a vulnerability in many cases. Anonymous binding means that users can directly submit null values without authentication, connect to the server in the way of "NULL BIND" to complete the binding, but cannot perform access / query. If there is an anonymous access vulnerability, you can also perform operations such as queries.

As shown in the AD of Windows Server 2016, you can bind rootDSE anonymously, but you cannot anonymously query the supported DN.

Figure 1. Anonymous binding succeeded

Figure 2. Anonymous access / query unsuccessful

Figure 3. Can be queried / accessed by authentication

The problem is described in subsections 5.1.2 and 6.3.1 of rfc [Anti-Harmony] 4513.

"https://datatracker.ietf.org/doc/rfc [anti-harmony] 4513/?include_text=1"

The important parts are translated as follows

5.1.2

LDAP clients can use a simple binding method to establish anonymous authorization status through an unauthenticated authentication mechanism by sending a bind request with a name value (a distinguished name of RFC [anti-harmony] 44514 in the form of a non-zero-length LDAP string) and specifying a simple authentication option that contains a zero-length password value

...

Users who intend to perform authentication may inadvertently provide an empty password, resulting in poorly executed clients requesting unauthenticated access. The client should prohibit entering an empty password into the name / password authentication user interface. In addition, by default, the server should fail unauthenticated bind requests.

...

6.3.1

...

Clients that use the results of a simple Bind operation to make authorization decisions should proactively detect unauthenticated Bind requests (by verifying that the password provided is empty) and respond appropriately.

...

1.3 NULL BIND of the server

Microsoft AD (Windows ActiveDirectories) does not support any LDAP anonymous operations for active Directory Active Directory by default, but it supports anonymous search and binding to rootDSE, and cannot be disabled.

Versions of Windows server prior to 2003 need to be manually adjusted to disable LDAP anonymous operations on the active Directory Active Directory, including binding, search, and query.

Microsoft officially stated: "https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled"

Active Directory: stores information about objects, allowing administrators and users to easily find and use that information.

RootDSE: is the root of the directory information tree of the directory messenger to provide data about the directory Server itself. For example, if a client knows the hostname and port that the directory server is listening to, it should learn about the information and data of the directory server itself by asking rootDSE.

Usually contains some of the following information

Vendor / supplier = Vendor

Naming context supported by the server = naming contexts

Request control supported by the server = request control

Supported SASL mechanism

Supported Featur

Schema location and other information

OpenLDAP is configured with simple, and the current version supports anonymous binding by default, which can be manually adjusted and disabled. Some earlier versions also supported anonymous access. "https://openldap.org/doc/admin24/security.html"

Case 2.1 vulnerability description

(1) in an IT system, the administrator assigns authorized accounts, maintains a list, and verifies passwords according to LDAP.

(2) when logging in, verify whether the user name is in the server account list, and submit it to LDAP for verification to determine whether the login is successful.

(3) outgoing users (that is, users who do not exist in LDAP, but are in the system's own user list) can log in with any password.

2.2 Analysis of the causes of vulnerabilities

Analyzing the code, it is found that the system logic is as follows:

Verify whether the input user is an assigned legitimate user

For legitimate users, query the user DN information in the LDAP server

Submit the DN and passwd passwords, and determine the login status by binding to LDAP.

The cause of the vulnerability is as follows: in step 2, because the outgoing employee information has been deleted in LDAP, the return DN is empty. The upper domain control is windows server DC, which allows NULL binding to rootDSE, so an empty DN and an arbitrary password are submitted. The php code considers the ldap_bind execution result to be true and determines whether the login is successful.

Equivalent to the case shown in the figure, Base defaults to rootDSE if it is not selected. Microsoft AD's rootDSE allows anonymous binding.

The code block in question is as follows, and the result of ldap_bind is determined to be true.

After the modification, a judgment is added to determine whether the ldap_user_dn is empty or not. if the user information does not exist in the LDAP, the error will be returned directly and not submitted.

Third, reproduction method 3.1 NESSUS scan

Nessus can report this vulnerability unsteadily, described as follows, and defined as a medium-risk information disclosure.

It is clear in the description that "this plug-in cannot prove that there is an LDAP anonymous access vulnerability, and LDAP v3 requires anonymous binding."

"https://www.tenable.com/plugins/nessus/10723"

3.2Manual testing 3.2.1 LdapAdmin

Enter host and select Anonymous connection

Supported situation

Unsupported situation

3.2.2 SofterraLDAP Browser

The verification process using the Softerra LDAP Browser tool is as follows

1. Select the server and select Base DN as RootDSE

two。 Select "Anonymous user" anonymous user

3. Select done and find that you can bind anonymously and load the root directory information

If NULL BIND is not supported, root information cannot be loaded

3.2.3 Python script

Python code. If ldapconn.simple_bind_s passes an empty parameter, the binding will be judged to be successful.

Import ldap

Ldapconn = ldap.initialize ('ldap://X.X.X.X:389')

Ldapconn.simple_bind_s (',')

Print ("helllo")

The official python_ LDAP library documentation is described as follows. Null values can be received in the who and cred parameters.

"https://pypi.org/project/python-ldap/"

4. LDAP server adjusts 4.1 OPENLDAP

According to the official documentation, you need to specify "disallow bind_anon" in slapd.conf to disable anonymous binding.

"https://openldap.org/doc/admin24/security.html"

1.vi / etc/openldap/slapd.d/cn\ = config.ldif

Add:

OlcDisallows: bind_anon

OlcRequires: authc

Vi / etc/openldap/slapd.d/cn\ = config/olcDatabase\ =\ {- 1\} frontend.ldif

Add:

OlcRequires: authc

two。 Restart the slapd service

Systemctl restart slapd

Validation, anonymous binding is not allowed

Windows-OpenLDAP can modify this file directly.

4.2 Windows Server AD (for Active Directory only)

After Windows Server 2003, anonymous binding to Active Directory is not allowed by default.

However, due to functional design, anonymous binding for rootDSE cannot be disabled

Anonymous access to Active Directory can be adjusted in the following ways

"https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled"

The server runs AdsiEdit.msc and connects to the configuration

two。 Select the LDAP entry, select [CN=Configuration,CN= {GUID}], double-click [CN=Services], double-click [CN=Windows NT], and right-click on [CN=Directory Service)] to select attributes.

two。 Set the DsHeuristics property value to 0 (0000002 means allowed)

3. Using any LDAP tool to try to connect and Fetch DNs, you can see that anonymous access to Active Directory failed

Fifth, the implementation of security coding

Using the server of LDAP, the back-end verification logic is relatively simple to avoid this problem. You can check the null value of the user input value submitted to LDAP. Pay attention to the control at both the front and rear ends, and check the logic of the submitted parameters.

In addition, applications that log in using LDAP authentication also need to avoid the problem of LDAP injection classes.

As shown in the figure example, the LDAP verification logic for the vmware harbor open source platform

About LDAP NULL bind cause login to bypass vulnerability analysis and fix what is shared here, hope that the above content can make you improve. If you want to learn more knowledge, please pay more attention to the editor's updates. Thank you for following the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.