Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Anonymous LDAP binds, thoughts on real exposures

from [Philip Cox] Network Security [Permanent Link]
Subject: Anonymous LDAP binds, thoughts on real exposures
Date: Wed, 12 Dec 2007 07:08:46 -0800 
All,

I was discussing with a colleague about allowing anonymous binds to a
Windows Active directory. The scenario was only internal, arguably trusted,
systems have network level access to the AD/LDAP server.

Given that, I can think of 3 basic classes of exposures:

1. Unauthorized Information leak: Anyone that can bind to the server can
gain SOME level of information access (depends on permissions)

2. Denial of Service: Such as overloading the server with requests once the
anonymous connection is established. One could argue that issuing anonymous
requests, even if they failed, could be used to perform the same basic
denial of service, so this would not be an increased risk due to allowing
anonymous binds

3. Potential exploit of bugs: When/if there is a vulnerability in one of the
underlying API calls to the AD server once a user has authenticated. Thus a
user that would not have authorization to make a certain call to the AD
server as an unauthenticated user, could make the call, and exploit the
vulnerability. For example, lets say the fictitious AD_Run_Object call was
vulnerable to a buffer overflow. An unauthenticated user trying to make the
call would be denied access to the call since they had not authenticated
first. However, an anonymous bind would allow the attacker to make the
AD_Run_Object call, and exploit the vulnerability.


I was thinking that if anonymous binds were required, you could do nothing
about #2 & #3. However, assuring tight AD permission settings could prevent
#1.

I am interested in thoughts of other classes of
attackes/vulnerabilites/exposures that allowing anonymous bind would present
on an INTERNAL network.

Any thoughts are appreciated.

Phil


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Anonymous LDAP binds, thoughts on real exposures, Philip Cox <=
Previous by Date:  Re: Cain & Able man in the middle attack, Carlos Moro García
Next by Date:  RE: I want the PT list back...., Shenk, Jerry A
Previous by Thread:  Cpanel Vulnerability?, Francisco Pecorella
Next by Thread:  Writing a phpshell via SQL Injection to a host, Joseph McCray
Indexes:  [Date] [Thread] [Top] [All Lists]