Critical Windows LDAP flaw could lead to crashed servers, RCE attacks

by CybrGPT
0 comment

LDAPNightmare: If December Patch Tuesday server updates have not yet been installed, it’s time to do so to avoid DoS or RCE attacks on Active Directory domain controllers as shown by PoC exploit.

Credit: Wachiwit / Shutterstock

Researchers have published a proof-of-concept exploit for a pair of Windows Lightweight Directory Access Protocol (LDAP) flaws that could lead to server crashes or remote code execution (RCE) on Windows servers.

“Active Directory Domain Controllers (DCs) are considered to be one of the crown jewels in organizational computer networks,” noted researchers at security firm SafeBreach, who investigated the flaws. “Vulnerabilities found in DCs are usually much more critical than those found in usual workstations. The ability to run code on a DC or crash Windows servers heavily affects network security posture.”

The vulnerabilities, designated CVE-2024-49112 (severity 9.8 out of 10) and CVE-2024-49113 (severity 7.5), were patched in Microsoft’s December 2024 Patch Tuesday updates, with few details. However, this week SafeBreach published a detailed analysis of the flaws, along with a proof-of-concept exploit of CVE-2024-49113 that the firm’s researchers said affects any unpatched Windows server, not just domain controllers. The only requirement is that the DNS server on the victim DC has internet connectivity.

It dubbed the exploit “LDAPNightmare.”

Although Microsoft has published virtually nothing about CVE-2024-49113, its FAQ for CVE-2024-49112 provided additional information about the flaw:

“A remote unauthenticated attacker who successfully exploited this vulnerability would gain the ability to execute arbitrary code within the context of the LDAP service. However successful exploitation is dependent upon what component is targeted.

In the context of exploiting a domain controller for an LDAP server, to be successful an attacker must send specially crafted RPC calls to the target to trigger a lookup of the attacker’s domain to be performed in order to be successful.

In the context of exploiting an LDAP client application, to be successful an attacker must convince or trick the victim into performing a domain controller lookup for the attacker’s domain or into connecting to a malicious LDAP server. However, unauthenticated RPC calls would not succeed.”

Based on that information, SafeBreach directed its efforts toward executables and dynamic link libraries (DLLs) that implement LDAP client logic, settling on lsass.exe or one of the DLLs it loads as the likely location for the bug.

After the researchers isolated the offending DLL — widap32.dll — they found a way to trick the victim into sending an LDAP request to the attacker’s domain and returned a response that crashed lsass.exeand the entire operating system. (See the analysis for additional details.)

The researchers are now working on another exploit that doesn’t crash the system, instead allowing RCE.

To make life more interesting for infosec pros, Microsoft noted in its FAQ that an attacker could use inbound RPC tunnels to exploit the vulnerabilities. It recommended that customers who can’t patch immediately prevent DCs from accessing the internet or disallow inbound RPC from untrusted networks, noting, “applying the mitigations will decrease the risk of an attacker successfully convincing or tricking a victim into connecting to a malicious server. If a connection is made, the attacker could send malicious requests to the target over SSL.”

It added, however, “applying both configurations provides an effective defense-in-depth against this vulnerability.”

Source link

You may also like

Leave a Comment

Stay informed with the latest in cybersecurity news. Explore updates on malware, ransomware, data breaches, and online threats. Your trusted source for digital safety and cyber defense insights.

BuyBitcoinFiveMinute

Subscribe my Newsletter for new blog posts, tips & new photos. Let’s stay updated!

© 2025 cybrgpt.com – All rights reserved.