Researchers from SafeBreach Labs disclosed a proof-of-concept (PoC) exploit for a crucial vulnerability found in Windows Lightweight Directory Access Protocol (LDAP) known as CVE-2024-49112.
This weakness, which was made public by Microsoft on December 10, 2024, as part of its Patch Tuesday update, has received a severity score of 9.8 according to the CVSS scale, representing a significant threat to corporate networks.
CVE-2024-49112 is an exploit for remote code execution (RCE) that impacts Windows servers, including Domain Controllers (DCs), which are instrumental elements within organizational networks responsible for managing authentication and user rights.
By taking advantage of this vulnerability, malicious actors could potentially crash servers that have not been patched or execute unauthorized code within the LDAP service context, thus jeopardizing entire domains.
The root cause of this vulnerability lies in an integer overflow present in the LDAP-related code. An unauthorized attacker could exploit this weakness by transmitting carefully crafted RPC calls to trigger malicious LDAP queries, potentially leading to server crashes or exploitation for RCE.
CVE-2024-49112 PoC Demonstration
SafeBreach Labs created a zero-click PoC exploit named “LDAPNightmare” to present the critical nature of CVE-2024-49112. This exploit causes unpatched Windows servers to crash by following the sequence of attacks outlined below:
- An assailant sends a DCE/RPC request to the target server.
- The target server queries the attacker’s DNS server for details.
- The attacker replies with a hostname and LDAP port.
- The server sends an NBNS broadcast to discover the attacker’s hostname.
- The attacker responds with its IP address.
- The server operates as an LDAP client and transmits a CLDAP request to the attacker’s device.
- The attacker sends a corrupting referral response, causing LSASS (Local Security Authority Subsystem Service) to crash and leading to the server’s reboot.
SafeBreach Labs confirmed that Microsoft’s update effectively mitigates this vulnerability by resolving the issue related to integer overflow.
This vulnerability impacts all editions of Windows Server released before the patch, encompassing Windows Server 2019 and 2022. Exploitation could empower attackers to gain control over domain settings, making them an ideal target for ransomware syndicates and other malicious agents.
Businesses are advised to:
- Install Microsoft’s patch from December 2024 promptly.
- Stay vigilant for suspicious DNS SRV queries, CLDAP referral responses, and DsrGetDcNameEx2 calls until the patching process is finalized.
- Evaluate their setups through SafeBreach’s PoC utility, which can be accessed on GitHub.
The publication of this PoC emphasizes the urgency of handling CVE-2024-49112. While SafeBreach’s study highlights the vulnerability’s potential ramifications, it also equips entities with tools for verifying their security measures.
Microsoft has already issued remedies for this vulnerability; Businesses need to prioritize updating and implement robust surveillance to shield critical infrastructure against exploitation.
The article “PoC Exploit Released for Critical Windows LDAP RCE Vulnerability” was originally published on Cyber Security News.