What is LDAP?
Information technologies keep progressing at incredible speed. This entails an increase in the amount of sensitive data that is stored in organizational databases. How does one protect this data? With internal firewalls, intrusion detection mechanisms, and so on. An application acts like a gate through which you must pass to get the information. You submit queries in order to get the wanted information. Problems arise when an app doesn’t sanitize user inputs while constructing the queries.
Lightweight Directory Access Protocol (LDAP) is a protocol used to query and modify directory services that run over TCP/IP. LDAP gives you application accessible repositories. These repositories contain information about applications, systems, credentials, users, and so on. The LDAP protocol comes with commands and syntax. They allow the user to search, modify, add and remove directory entries. Do you want to find the new shirt from your favorite clothing store on their website? LDAP protocols let you search for that information.
Most web applications have input validation related vulnerabilities. Threat actors use injection techniques to exploit these vulnerabilities and obtain information. SQL Injections are the most common injection type, but hackers also use LDAP Injections where appropriate. Hackers abuse and manipulate filters to locate important sensitive information. The security of applications and services functions in a single sign-on environment. This environment is based on LDAP directories. Any security breach will be incredibly damaging to a user or a business.
Directory services are used to search for information. How do the LDAP directory services store and organize information? The information structure looks like a tree of directory entries. Because of this users can search for information that shares common attributes. All entries in LDAP directory services are instances of an object. Rules dictate how an object needs to respond to the attributes that were fixed to that object.
LDAP directory services have a hierarchical nature. They also operate based on the client/server model. By using filters users can look for directory entries that interest them. A client will send a query to the server. Then the server responds with a directory entry that matches the filter the user used.
Filters need to be in brackets. A set of logical (AND, OR, and NOT) and relational (=, >=,<=,~=) operators are used for their construction. Yet, the user can replace characters used in the creation of filters with the “*” special character. There are also two standalone symbols that you can use as special constants. These are:
- (&) ->Absolute TRUE
- (|) -> Absolute FALSE
Vulnerable LDAP environments
Many companies use LDAP services. In the past, applications needed different directories with standalone authentication to function. The domain, the distribution lists, databases. All required a separate directory. Today, however, new directories based on LDAP services have multiple purposes. They work as consolidated information repositories for user authentication. They also enable a single sign-on environment. This comes with better productivity for businesses. Why? Because of the reduction of administrative complexity. Security and fault tolerance is also improved. Applications that depend on LDAP services use the directory for many purposes. The most common purposes include:
- Privilege management
- Resource management
- Access control (management of user certificates, verification of the user/password pair)
LDAP services are incredibly useful for corporate networks. That’s the reason why the LDAP servers are located in the backend together with other database servers.
Now that we have a common understanding, let’s discuss LDAP Injections. These kinds of techniques are similar to SQL Injection attacks. What’s the purpose of the LDAP Injection? To abuse the parameters that users introduce to generate the LDAP query. These issues can be avoided. How? By the application itself. It needs to sanitize the parameters that were introduced by the user before a query is sent to the server. In most cases, the parameters are not filtered correctly. This leads to a vulnerable environment in which the hacker can inject malicious code.
How do we classify LDAP Injections? As user-crafted query with malicious intent. Normal queries sent to the LDAP server result in a normal output. However, LDAP statements sent together with code injections result in problems. Sensitive and private information is the target which the hackers obtain from LDAP servers with these techniques. Some LDAP Injections go even further. Hackers using more advanced LDAP Injection techniques can execute arbitrary commands. This lets them obtain unauthorized permissions and also alter LDAP tree information.
Environments that are most vulnerable to LDAP Injection attacks include ADAM and OpenLDAP. The most widespread types of LDAP Injection attacks are AND LDAP Injections, OR LDAP Injections, and Blind LDAP Injections (have their own OR and AND types).
In Part 2 of this blog post we will build on the information provided above and discuss the most common LDAP Injections, showcase examples of how they work, and provide advice that can help prevent these attack techniques.