The CVE-2024-49112 vulnerability in Home windows LDAP permits distant code execution on unpatched Area Controllers, as a zero-click exploit leverages this by crafting malicious LDAP requests, which, despatched with none consumer interplay, exploit a reminiscence corruption vulnerability inside the LDAP service.
Upon receiving the malicious request, the susceptible DC makes an attempt to course of it, resulting in a reminiscence crash and finally system instability, which may probably be used to achieve preliminary entry to the area, compromising crucial programs and information.
Researchers recognized a crucial distant code execution vulnerability (CVE-2024-49112) in Home windows LDAP companies, which probably an integer overflow, resides inside the wldap32.dll library, a core part of the LDAP consumer implementation.
By exploiting this flaw, unauthenticated attackers can remotely set off a site controller to carry out a DNS lookup of a malicious area and when processed by the susceptible LDAP consumer code, this results in a reminiscence corruption, finally enabling arbitrary code execution inside the context of the LDAP service working on the goal area controller.
The attacker used the DsrGetDcNameEx2 perform to set off a distant LDAP request on the sufferer DC, as DsrGetDcNameEx2 is an RPC perform that retrieves details about a site controller within the specified area and website.
They set the DomainName parameter to be a site that they managed, and the sufferer DC despatched a DNS question to its DNS server a few subdomain of that area.
Then created SRV information for that subdomain that pointed to the attacker’s DC, and when the sufferer DC queried the DNS server once more, it obtained the IP tackle of the attacker’s DC and despatched an LDAP request to it.
A malicious LDAP response packet was crafted by the attacker with a purpose to reap the benefits of the LdapChaseReferral vulnerability.
By manipulating the size discipline of a particular worth inside the packet, they triggered the “lm_referral” variable within the “ldap_message” struct to develop into non-zero, which triggered a vulnerability test inside the LdapChaseReferral perform.
Because the “referral desk” pointer was null and “lm_referral” was non-zero, the perform tried to dereference a null pointer, resulting in an entry violation and probably permitting distant code execution on the sufferer’s DC.
SafeBreach analysis into the LDAP CVE-2024-49112 vulnerability demonstrated profitable exploitation past Area Controllers, impacting any unpatched Home windows Server.
By manipulating LDAP referrals with particular malicious values, researchers crafted an exploit chain that leverages DsrGetDcNameEx2 calls and DNS SRV queries to set off reminiscence corruption and potential distant code execution.
Proof-of-concept exploit and mitigation methods, together with patching and implementing detections for suspicious LDAP referrals and system calls, have been developed to help organizations in addressing this crucial vulnerability.
Examine Actual-World Malicious Hyperlinks, Malware & Phishing Assaults With ANY.RUN – Attempt for Free