Shulou(Shulou.com)05/31 Report--

The content of this article mainly focuses on how to understand LDAP injection. The content of the article is clear and well-organized. It is very suitable for beginners to learn and is worth reading. Interested friends can follow the editor to read together. I hope you can get something through this article!

1. LDAP injection

LDAP (Light Directory Access Portocol) is a lightweight directory access protocol based on X.500 standard, which provides services and protocols for accessing directory databases. It is often used to form directory services with directory databases. The directory is a professional distributed database optimized for query, browsing and searching. It organizes data in a tree structure, similar to the file directory in the Linux/Unix system. Data that is not frequently modified, such as public certificates, security keys, and company physical device information, is suitable for storage in the directory. LDAP can be understood as a search protocol, similar to SQL, with query syntax and the risk of injection attacks. LDAP injection refers to an attack that when the client sends a query request, the input string contains some special characters, resulting in the modification of the original query structure of LDAP, so that more unauthorized data can be accessed.

This article takes the source code of JAVA language as an example to analyze the causes and repair methods of LDAP injection vulnerabilities in CWE ID 90:Improper Neutralization of Special Elementsused in an LDAP Query ('LDAP Injection') samples. For more information, see:

CWE ID 90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

Http://cwe.mitre.org/data/definitions/90.html

CWE ID 639:Authorization Bypass ThroughUser-Controlled Key

Http://cwe.mitre.org/data/definitions/639.html

2. Harm of LDAP injection

LDAP injection uses parameters introduced by users to generate malicious LDAP queries, and constructs LDAP filters to bypass access control and enhance user rights. AND and OR operation injection are constructed to obtain sensitive information while maintaining the normal filter.

From January 2018 to January 2019, there are four pieces of vulnerability information related to CVE. Some of the vulnerabilities are as follows:

CVE numbering Overview CVE-2018-12689phpLDAPadmin 1.2.2 allowed through cmd.php? Cmd = the well-designed serverid parameter in the loginform request or the well-designed user name and password in the login panel for LDAP injection. CVE-2018-5730MIT krb5 1.6 or later allows authenticated kadmin to add principals to the LDAP Kerberos database to bypass DN container checks by providing "linkdn" and "containerdn" database parameters, or by providing DN strings as extensions to bypass DN container checks. Apache Karaf before CVE-2016-87504.0.8 uses LDAPLoginModule to authenticate users through LDAP. However, the user name is not encoded correctly, so it is vulnerable to LDAP injection attacks, resulting in a denial of service. Html / admin / login.php before CVE-2011-4069PacketFence 3.0.2 allows remote attackers to conduct LDAP injection attacks to bypass authentication through a specially crafted user name. 3. Sample code

The example is from Samate Juliet Test Suite for Java v1.3 (https://samate.nist.gov/SARD/testsuite.php), source file name: CWE90_LDAP_Injection__connect_tcp_01.java.

3.1 defect code

The above sample code is line 39-61. The program makes a TCP connection and reads the data of Socket and assigns a value to the variable data. A LDAP query statement is constructed in the 118dynamic state and executed on line 119th. LDAP encapsulates common object classes for personnel organizations, for example, person contains attributes such as sn, cn, telephoneNumber, userPassword and so on. The query validates the existence of an employee named variable data, but does not filter the contents of the variable data. Using the simplest injection method, if the value of the incoming parameter is "*", the dynamic query condition constructed is "(cn=*)", so that the information of all employees can be queried, resulting in information disclosure.

The "LDAP injection" defect can be detected by using 360Code Guardian to detect the above sample code, and the display level is high. The pollution source and flow direction of the data can be analyzed from the tracking path, and the defect is reported on line 120 of the code line, as shown in figure 1:

Figure 1:LDAP injection detection example

3.2 fix the code

In the above repair code, line 119 uses the extension class BaseControl under the javax.naming.ldap package to receive the parameters that need to be processed, and the line 120 control object calls the getEncodedValue () method to encode the received parameter data, and the encoded value is the ASN.1BER code value corresponding to the character. There are no special characters involved in the parsing of the command in the encoded byte array, and LDAP query statements with normal structure and content can be constructed, which avoids the occurrence of LDAP injection.

Using 360Code Guardian to detect the repaired code, you can see that there is no "LDAP injection" defect. Figure 2:

Figure 2: test results after repair

4. How to avoid LDAP injection

The root cause of LDAP injection is that the attacker provides LDAP metacharacters that can change the meaning of the LDAP query. When constructing LDAP filters, programmers should know which characters should be parsed as commands and which characters should be parsed as data. To prevent attackers from encroaching on programmers' presuppositions, whitelist methods should be used to ensure that user-controlled values in LDAP queries come entirely from a predetermined set of characters and should not contain any LDAP metacharacters. If a user-controlled range of values requires that LDAP metacharacters be included, the meaning of these metacharacters in the LDAP query should be escaped using the appropriate encoding mechanism.

Such as &,! , |, =, +, -, ",',; these characters are not normally used. If they appear in the user's input, they need to be escaped with a backslash.

There are also characters such as (,),\, *, /, NUL, which not only need to be processed with a backslash, but also need to change the characters to the corresponding ASCII code values.

Thank you for your reading. I believe you have some understanding of "how to understand LDAP injection". Go ahead and practice it. If you want to know more about it, you can follow the website! The editor will continue to bring you better articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.