How To Identify and Prevent LDAP Injection (Part 2)

protection shield

 

protection shield

Query and command injections are some of the most devastating classes of vulnerabilities in existence. This series of blog posts will teach you how to identify and prevent this vulnerability from occurring.

What is LDAP Injection?

LDAP injection occurs when an application fails to neutralize characters that have special meaning in LDAP. Closely, resembling SQL injection, LDAP injection occurs when LDAP statements are constructed with unverified user-supplied data. This can result in the execution of arbitrary commands such as granting permissions to unauthorized queries as well as content alterations within the LDAP tree. The same advanced exploitation techniques leveraged in SQL Injection can be similarly applied in LDAP injection.

For the purpose of illustration, let’s examine a public LDAP injection vulnerability (CVE-2012-3981) that was recently identified in the popular software management tool, Bugzilla. Bugzilla, like many software products, supports integration with external authentication mechanisms such as LDAP. Up until November 1, 2012, a vulnerability existed in Bugzilla that allowed an attacker to inject arbitrary data into an LDAP directory via a crafted login attempt. Specifically, when a user submits his credentials, no validation check is performed and the username is passed as is to create the filter which will be passed to $self->ldap->search().

Vulnerable Perl code

[code]
use Bugzilla::Util;

use Net::LDAP;

sub _bz_search_params {
my ($username) = @_;

return (base   => Bugzilla->params->{“LDAPBaseDN”},
scope  => “sub”,
filter => ‘(&(‘ . Bugzilla->params->{“LDAPuidattribute”}
[/code]

Preventing LDAP Injection

In this example, the authors of Bugzilla leverage a third party Perl module, Net::LDAP::Util, to escape dangerous user-input supplied by the username parameter. Specifically, escape_filter_value() escapes the passed in according to RFC 4515 so that it can be safely used in LDAP filters. Any control characters with an ACII code < 32 as well as the characters with special meaning in LDAP filters ”*”, ”(”, ”)”, and ”” the backslash are converted into the representation of a backslash followed by two hex digits representing the hexadecimal value of the character.

Example Perl

[code]
use Bugzilla::Util;

use Net::LDAP;
+ use Net::LDAP::Util qw(escape_filter_value)

sub _bz_search_params {
my ($username) = @_;
+ $username = escape_filter_value($username);
return (base   => Bugzilla->params->{“LDAPBaseDN”},
scope  => “sub”,
filter => ‘(&(‘ . Bugzilla->params->{“LDAPuidattribute”}
[/code]

In general, mitigation for all injection vulnerabilities starts with input validation. As with the other prevention techniques a positive validation scheme, or white-list, is always preferred over a black-list approach. This is particularly true if you are attempting to roll your on data validation routines. The prevention sections should be sounding like a broken record by now.

About the Authors

Nathan Sportsman

Nathan Sportsman

As the Founder and CEO of Praetorian, Nathan is responsible for championing the vision, maintaining the culture, and setting the direction of the company. Prior to bringing in professional management to help run the company, Nathan managed the day-to-day operations of the firm from its 2010 beginnings as a bootstrapped start-up to its current YoY hyper-growth. Since Praetorian’s founding, Nathan has successfully instilled a “customer first” mentality that has become part of the DNA of the company, which has led to unprecedented customer satisfaction reviews as reflected in a historical net promoter score of 92%. This reputation for delivering value to the customer has resulted in a three-year growth rate of 214%. Under Nathan’s leadership, the company has earned national recognition on the Inc. 5000 list 8 times in a row, the Inc Best Work Places, the Cybersecurity 500, CIO Top 20, and locally on Austin’s “Fastest 50” growing firms.

Catch the Latest

Catch our latest exploits, news, articles, and events.

Ready to Discuss Your Next Continuous Threat Exposure Management Initiative?

Praetorian’s Offense Security Experts are Ready to Answer Your Questions

0 Shares
Copy link