Cyber security news for all

More

    LDAPNightmare PoC Exploit Causes LSASS Crashes and Windows Domain Controller Reboots

    A newly unveiled proof-of-concept (PoC) exploit for a previously patched vulnerability in Windows Lightweight Directory Access Protocol (LDAP) has emerged, demonstrating the potential to induce denial-of-service (DoS) conditions.

    Identified as CVE-2024-49113 and carrying a CVSS severity score of 7.5, this out-of-bounds reads vulnerability was addressed by Microsoft in its December 2024 Patch Tuesday updates. The updates also mitigated CVE-2024-49112, a critical integer overflow flaw rated 9.8 on the CVSS scale, which could allow remote code execution within the same LDAP component.

    The discovery of both vulnerabilities is credited to independent security researcher Yuki Chen (@guhe120), whose findings underscore significant risks for Windows Server environments.

    PoC Exploit Details: LDAPNightmare

    The PoC exploit, dubbed LDAPNightmare, was engineered by researchers at SafeBreach Labs. Its functionality enables it to crash unpatched Windows Servers without requiring any specific preconditions beyond Internet connectivity for the domain controller’s DNS server.

    The attack mechanism involves dispatching a DCE/RPC request to the target server, followed by a specially crafted CLDAP referral response packet. This sequence triggers the Local Security Authority Subsystem Service (LSASS) to crash, resulting in an automatic reboot of the domain controller.

    More alarmingly, SafeBreach Labs discovered that the same exploit chain could be weaponized for remote code execution (RCE), exploiting CVE-2024-49112 by modifying the malicious CLDAP packet.

    Microsoft’s Advisory and Technical Insights

    Microsoft’s security advisory on CVE-2024-49113 provides minimal technical specifics but highlights the grave potential of CVE-2024-49112. According to Microsoft, the vulnerability can be exploited via RPC requests from untrusted networks, enabling attackers to execute arbitrary code in the LDAP service context.

    • In attacks targeting domain controllers, success requires attackers to initiate crafted RPC calls to the target, prompting a lookup of the attacker’s domain.
    • In client-side LDAP exploits, attackers must deceive victims into conducting a domain lookup or connecting to a malicious LDAP server. However, Microsoft clarified that unauthenticated RPC calls would fail to succeed under such scenarios.

    Additionally, attackers could exploit RPC connections to domain controllers to initiate domain lookup operations against their controlled domains.

    Mitigation and Defensive Measures

    To neutralize the risks posed by these vulnerabilities, organizations are urged to promptly apply Microsoft’s December 2024 security patches. For environments where immediate patching is not feasible, Microsoft recommends implementing detection mechanisms to identify:

    • Suspicious CLDAP referral responses with malicious value indicators.
    • Anomalous DsrGetDcNameEx2 function calls.
    • Unusual DNS SRV query patterns.

    The release of LDAPNightmare underscores the persistent and evolving nature of cybersecurity threats facing enterprise environments. Organizations must prioritize rapid patch deployment, maintain vigilant monitoring, and adopt layered defenses to safeguard critical infrastructure from such exploits.

    Recent Articles

    Related Stories