Windows Domain Controllers are rebooted and LSASS is broken by the LDAPNightmare PoC exploit.

A proof-of-concept (PoC) attack for a security vulnerability in Windows Lightweight Directory Access Protocol (LDAP) that has been patched and has the potential to cause a denial-of-service (DoS) scenario has been made public.

  Vulnerability Alerts   Jan 6, 2025  Add to Reading List
Windows Domain Controllers are rebooted and LSASS is broken by the LDAPNightmare PoC exploit.

A proof-of-concept (PoC) attack for a security vulnerability in Windows Lightweight Directory Access Protocol (LDAP) that has been patched and has the potential to cause a denial-of-service (DoS) scenario has been made public.

CVE-2024-49113 is the tracking number for the out-of-bounds reads vulnerability (CVSS score: 7.5). Microsoft fixed it along with CVE-2024-49112 (CVSS score: 9.8), a critical integer overflow vulnerability in the same component that might lead to remote code execution, as part of Patch Tuesday releases for December 2024.

Yuki Chen, an independent security researcher, is credited with identifying and disclosing both vulnerabilities (@guhe120).

Code-named LDAPNightmare, the CVE-2024-49113 PoC created by SafeBreach Labs, is intended to crash any unpatched Windows server "with no pre-requisites except that the DNS server of the victim DC has Internet connectivity."

In particular, it involves sending a DCE/RPC request to the target server, which, when a carefully designed CLDAP referral response packet with a non-zero value for "lm_referral" is provided, eventually causes the Local Security Authority Subsystem Service (LSASS) to fail and need a reboot.

Even worse, the cybersecurity firm from California discovered that by altering the CLDAP packet, the same exploit chain may be used to accomplish remote code execution (CVE-2024-49112).

The Windows manufacturer has disclosed that CVE-2024-49112 might be exploited by sending RPC calls from untrusted networks to execute arbitrary code within the context of the LDAP service, however, Microsoft's warning for CVE-2024-49113 is primarily focused on technical specifics.

"In the context of exploiting a domain controller for an LDAP server, to be successful an attacker must send specially crafted RPC calls to the target to trigger a lookup of the attacker's domain to be performed to be successful," Microsoft stated.

"To successfully exploit an LDAP client application, an attacker must persuade or deceive the victim into connecting to a rogue LDAP server or executing a domain controller lookup for the attacker's domain. RPC requests without authentication, however, would fail.

Additionally, the organization pointed out that an attacker may initiate domain controller lookup operations against their domain by using an RPC connection to a domain controller.

Organizations must implement the Microsoft fixes announced in December 2024 to reduce the risk posed by these vulnerabilities. When patching cannot be done right away, it is recommended to "implement detections to monitor suspicious CLDAP referral responses (with the specific malicious value set), suspicious DsrGetDcNameEx2 calls, and suspicious DNS SRV queries."