LDAPNightmare PoC Exploit Crashes LSASS and Reboots Windows Domain Controllers

The latest news on the LDAP vulnerability PoC exploit, specifically CVE-2024-49112, involves a critical remote code execution (RCE) flaw in Windows Lightweight Directory Access Protocol (LDAP) clients. Here are the key details:

CVE-2024-49112 Overview

Vulnerability Description: CVE-2024-49112 is a critical vulnerability in Windows LDAP clients that allows remote code execution. It primarily impacts Windows servers, including Domain Controllers (DCs), which play a crucial role in managing network authentication and user access23.

CVSS Score: The vulnerability has been assigned a critical CVSS score of 9.8, indicating its high severity2.

Exploit Details: The exploit leverages an integer overflow in the LDAP-related code. By sending specifically crafted RPC requests, an unauthenticated attacker can initiate malicious LDAP queries, potentially leading to server instability or remote code execution (RCE)23.

PoC Exploit: SafeBreach Labs has released a zero-click proof-of-concept (PoC) exploit named "LDAPNightmare" to highlight the severity of CVE-2024-49112. This exploit demonstrates how unpatched Windows servers can be crashed by interacting with their Netlogon Remote Protocol (NRPC) and LDAP client23.

Attack Flow

1. Initiation: The attacker initiates the process by sending a DCE/RPC request to the targeted server.
2. Query: The target server queries the attacker's DNS server for additional details.
3. Response: The attacker provides a hostname and LDAP port.
4. Resolution: The victim server broadcasts an NBNS request to resolve the attacker’s hostname.
5. Reply: The attacker replies with their IP address.
6. CLDAP Request: The victim server, now acting as an LDAP client, sends a CLDAP request to the attacker's machine.
7. Malicious Referral: The attacker delivers a malicious referral response, triggering a crash in the LSASS (Local Security Authority Subsystem Service) and forcing the server to reboot23.

Affected Systems

All unpatched versions of Windows Server, including 2019 and 2022, are exposed to this vulnerability. Threat actors, such as ransomware groups, could exploit it to seize control of domain environments, placing them at significant risk2.

Mitigation

1. Patch Updates: Microsoft addressed this vulnerability on December 10, 2024, as part of its monthly Patch Tuesday updates. Organizations should apply the latest patches to mitigate the risk2.
2. Monitoring: Keep an eye out for unusual activity involving DNS SRV queries, CLDAP referral responses, and DsrGetDcNameEx2 calls until the update is fully applied2.
3. Assessment Tool: Utilize SafeBreach's proof-of-concept tool, accessible on GitHub, to assess systems and evaluate security measures2.

References

• 2 PoC Released for Critical Windows LDAP Zero-Click RCE
• 3 SafeBreach-Labs/CVE-2024-49112 - LDAP Nightmare - GitHub

This information provides a comprehensive overview of the latest news on the LDAP vulnerability PoC exploit, specifically CVE-2024-49112, and its potential impact on Windows Domain Controllers.