AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Insecure LDAP SimpleBind

The attacker can access LDAP account passwords in cleartext

Severity

Critical

Fix Cost

Medium

Trust Level

High

Basic authentication is a widely used and oldest authentication technique being inherently insecure. For example, the below HTTP request includes Basic Authentication credentials entered by the end user in Authorization header encoded in Base64.

An example to this phenomena is to redirect users to relative application URLs that needs unauthenticated user to be authenticated. For example, sometimes users bookmark parts of the application for quick access in the future. However, these parts of the application may need user to be authenticated. Therefore, when users click on these bookmarks, the application redirects those users to the login page with a URL parameter storing the original bookmark relative URL such as below;


GET /index.html HTTP/1.1
Host: www.abc.com
Authorization: Basic a2VtYWw6aXN0YW5idWw=

		    

An attacker intercepting (if SSL is not used) this message can easily decode the value and gather the username and password in cleartext.

In programming languages, LDAP APIs provide various connection frameworks with different binding methods to the server. SimpleBind is a way of binding which uses Basic Authentication and therefore insecure.

The below code snippet uses SimpleBind in order to connect to the target LDAP server including SimpleBind in bitwise OR operation.


using (var context = new PrincipalContext(ContextType.Domain, domain))
{
return context.ValidateCredentials(userName, password, 
ContextOptions.SimpleBind | ContextOptions.Negotiate);
}

		

The attacker can intercept this LDAP bind (authentication) operation and get the username and password in cleartext.

Another insecure code snippet that usage of Basic Authentication is;

            
var identifier = new LdapDirectoryIdentifier(server, port);
var credential = new NetworkCredential(username, password);
var ldapConnection = new LdapConnection(identifier, credential);
ldapConnection.AuthType = AuthType.Basic;

            

Basic authentication is a widely used and oldest authentication technique being inherently insecure. For example, the below HTTP request includes Basic Authentication credentials entered by the end user in Authorization header encoded in Base64.

            
GET /index.html HTTP/1.1
Host: www.abc.com
Authorization: Basic a2VtYWw6aXN0YW5idWw=
            
           

An attacker intercepting (if SSL is not used) this message can easily decode the value and gather the username and password in cleartext.

In programming languages, LDAP APIs provide various connection frameworks with different binding methods to the server. SimpleBind is a way of binding which uses Basic Authentication and therefore insecure.

The below code snippet uses simple authentication order to connect to the target LDAP server.


try{
Hashtable env = new Hashtable(15);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");

env.put(Context.PROVIDER_URL, "ldap://10.10.123.12:389");

// the other insecure option is “none”
env.put(Context.SECURITY_AUTHENTICATION, "simple");

DirContext ctx = new InitialDirContext(env);

// Create the search controls	 
SearchControls searchCtls = new SearchControls();

//Specify the attributes to return
String returnedAtts[] = {"mail", "description", "givenname", "roomNumber", "employeeNumber", "uid"};
searchCtls.setReturningAttributes(returnedAtts);

//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

//specify the LDAP search filter
String searchFilter = filter;

//Specify the Base for the search
String searchBase = "ou=people,dc=mycompany,dc=com";

// Search for objects using the filter
NamingEnumeration<SearchResult> answer = ctx.search(searchBase, searchFilter, searchCtls);

		    

The attacker can intercept this LDAP bind (authentication) operation and get the username and password in cleartext.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!