Exploit Proof-of-Concept Released for Windows Lightweight Directory Access Protocol (LDAP CVE-2024-49113 )
Exploit Proof-of-Concept Released for Windows Lightweight Directory Access Protocol (LDAP CVE-2024-49113)
A critical exploit proof-of-concept (PoC) has been published for a previously disclosed vulnerability, CVE-2024-49113, within the Windows Lightweight Directory Access Protocol (LDAP) service Dubbed “LDAP Nightmare”.
Dubbed “LDAP Nightmare,” this vulnerability enables Remote Code Execution (RCE) and Denial of Service on unpatched Windows Servers, including Domain Controllers (DCs).
Summary
| OEM | Microsoft |
| Severity | High |
| CVSS | 7.5 |
| CVEs | CVE-2024-49113 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.1 |
Overview
This vulnerability was originally disclosed during Microsoft’s December 2024 Patch Tuesday. Its severity, with a CVSS score of 7.5, underscores its significant impact on enterprise environments. Organizations are urged to take immediate remediation steps to prevent exploitation.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Windows LDAP Denial of Service Vulnerability | CVE-2024-49113 | Windows Server | High |
Technical Summary
The exploitation of CVE-2024-49113 involves a zero-click attack leveraging the LDAP protocol to execute arbitrary code or crash Windows Servers by targeting the Local Security Authority Subsystem Service (LSASS). The PoC released by SafeBreach Labs demonstrates how attackers can manipulate LDAP responses to crash or compromise unpatched systems. Key technical details are as follows:
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-49113 | All unpatched versions of Windows Server and Windows 10 and 11 | Integer overflow in LDAP-related code allows remote unauthenticated exploitation via crafted RPC and LDAP queries. For exploitation requires only Internet connectivity for DNS interactions, no authentication needed. | RCE or system crash |
Exploit Details:
- An attacker sends a DCE/RPC request to the target server.
- The target queries the attacker’s DNS server for domain information.
- The attacker manipulates NetBIOS and CLDAP responses to redirect the target server to a malicious LDAP server.
A crafted LDAP referral response crashes LSASS, causing crash and a system reboot
Remediation:
- Apply Patches: Immediately deploy Microsoft’s December 2024Patch Tuesday update to affected systems.
- Monitor Activity: Implement detection mechanisms for:
- Suspicious CLDAP referral responses with malicious values.
- Unusual DsrGetDcNameEx2 calls.
- Anomalous DNS SRV queries.
- Testing: Use the SafeBreach PoC tool from their GitHub repository to assess the effectiveness of the patch, at your own risk.
Conclusion:
The release of a PoC for CVE-2024-49113 significantly heightens the risk of exploitation. SafeBreach’s research underscores the vulnerability’s potential to compromise enterprise networks, including complete domain resource control or critical infrastructure disruption. With Microsoft’s patch available, organizations must prioritize patching and deploy monitoring strategies to safeguard against exploitation. For more information, refer to SafeBreach’s GitHub repository and detailed technical findings.
References: