LDAP Nightmare: Exploiting CVE-2024-49112 in Windows Servers

2025-01-02 12:12 | Tags: , , , , , , , ,

A new Remote Code Execution (RCE) vulnerability has been discovered. With a CVSS score of 9.8, this vulnerability affects Windows Domain Controllers (DCs) and other Windows Servers, potentially putting organizational networks at risk. SafeBreach Labs took a deep dive, revealing a zero-click Proof of Concept (PoC) capable of crashing unpatched systems.

This flaw doesn’t require authentication, and SafeBreach researchers outlined how the vulnerability can be exploited using a crafted CLDAP response to crash the Local Security Authority Subsystem Service (LSASS).

Technical background

The vulnerability leverages an integer overflow in the lsass.exe process, specifically in the wldap32.dll library, which manages LDAP requests. The attack chain can be divided into the following steps:

  1. Triggering an LDAP Query
    • The attacker sends a crafted DCE/RPC request to the victim server.
    • This forces the victim to send a DNS SRV query about the attacker’s controlled domain.
  2. DNS Manipulation
    • The attacker controls the DNS response to point the victim to an attacker-controlled LDAP server.
  3. Executing CLDAP Requests
    • The victim server, acting as an LDAP client, sends a CLDAP request to the attacker’s server.
    • The attacker responds with a malformed referral packet, triggering a vulnerability in LdapChaseReferral within the wldap32.dll.
  4. Crashing LSASS
    • A specific value in the referral response causes the lsass.exe process to dereference a null pointer.
    • This leads to an access violation, crashing LSASS and forcing a system reboot.

Am I vulnerable?

Vulnerable versions:

  1. Windows Server:
    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows Server 2019
    • Windows Server 2022
  2. Windows 10 and Windows 11 (in specific scenarios):
    • If LDAP or Active Directory server functionalities are enabled, these systems could also be vulnerable, particularly when acting as domain controllers or LDAP servers.

Utilize the provided PoC tool to verify patch implementation: https://github.com/SafeBreach-Labs/CVE-2024-49112

Mitigation

Ensure all Windows Servers are updated with Microsoft’s December 2024 patch (link to patch). Additionally monitor network for suspicious activity:

  • Track unusual DsrGetDcNameEx2 calls and DNS SRV queries.
  • Log and review CLDAP referral responses with anomalous values.

Source: https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49112/

One response to “LDAP Nightmare: Exploiting CVE-2024-49112 in Windows Servers”

  1. Aaa says:
    January 2, 2025 at 7:27 pm

    Thanks

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Search
Social Media