好的,由於這個弱點花了蠻久的時間在找資料,怎麼說也是該紀錄一下。
這系列相關的有:
其中1是指可以進行null base
search、2 3則是可使用Anonymous
bind(Null bind),1若搭配2 3 威力更強。以下就分成兩個部分討論:
Part 1: LDAP
NULL BASE Search Access
Part 2: LDAP
Anonymous bind (Null bind)
Part 1: LDAP NULL BASE Search Access
弱點描述:
LDAP Server支援使用NULL/empty
base來搜尋。可能導致資訊洩漏,因為不需要對該LDAP Server有基本的了解就可以取得目錄結構資訊。
如果結合NULL Bind (Anonymous bind),便可以使用工具來查詢資料了。
由於LDAPv3設計允許null base是為了能方便存取RootDSE,取得像是naming context或authentication type等資訊。
此弱點可能為false-positive。(敘述看起來所謂的false-positive就是當此弱點是發現於v3,若是發現在v2就要考慮去停用null
base。)
~
The remote LDAP server supports search requests with a NULL, or
empty,
base object. This allows information to be retrieved without any prior
knowledge of the directory structure. Coupled with a NULL BIND, an
anonymous user may be able to query your LDAP server using a tool such
as 'LdapMiner'.
Note that there are valid reasons to allow queries with a NULL base.
For example, it is required in version 3 of the LDAP protocol to
provide access to the root DSA-Specific Entry (DSE), with information
about the supported naming context, authentication types, and the
like. It also means that legitimate users can find information in the
directory without any prior knowledge of its structure. As such, this
finding may be a false-positive.
base object. This allows information to be retrieved without any prior
knowledge of the directory structure. Coupled with a NULL BIND, an
anonymous user may be able to query your LDAP server using a tool such
as 'LdapMiner'.
Note that there are valid reasons to allow queries with a NULL base.
For example, it is required in version 3 of the LDAP protocol to
provide access to the root DSA-Specific Entry (DSE), with information
about the supported naming context, authentication types, and the
like. It also means that legitimate users can find information in the
directory without any prior knowledge of its structure. As such, this
finding may be a false-positive.
~
(以下直接採用TurnKey
OpenLDAP預設的環境進行測試/LDAPv3)
使用工具:(1) ldapsearch (CLI/Linux), (2) LDAP
Browser (GUI/Windows)
ldapsearch
根據Google上的各種討論串,NULL
BASE Search指令應為:
ldapsearch -x -s base -b '' -H ldap://127.0.0.1 "(objectClass=*)"
"*" +
用了以後發現 哦! 吐了一堆看不懂的資訊
-x = simple authentication
-s = scope is defined as base
-b = search base
-H = specify LDAP uri
簡單來說就是使用Simple Authentication且不用輸密碼(前提是允許使用Anonymous bind)、指定使用base且search base設為''。
補充:可透過上面得到的namingContext用來取得更多資訊。
ldapsearch -x -s sub -b "dc=example,dc=com"
-H ldap://127.0.0.1
LDAP Browser
這就是我喜歡GUI的地方,竟然連那些難以讀懂的數字都幫你標好翻譯了XD
嚴格來說這其實不算弱點,當初這樣的設計是為了能與rootDSE做溝通直接取得資訊。
但這也確實會造成資訊洩漏的問題,網路求解法找到如下資訊:
儘管去禁止null base query不太合邏輯,但他還是提供方法了XD (所謂的ACL方式)
在OpenLDAP 2.4以上,已經不適用修改slapd.conf的方法了。
因此我們必須要建立ldif檔搭配ldapmodify來達成修改config的目的。
首先來看一下目前的設定長怎樣:
ldapsearch -Y EXTERNAL -H ldapi:/// -b
"cn=config"
然後就噴了一堆東西嚇死你,其實我們只要看最後面{1}hdb, config的olcAccess就好。
我是不太懂啦,但看起來確實跟建議的設定值不同。
所以呢來寫個 ldif 吧。
vim disable_null_base_query.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {1}to dn.base="" by users
read
olcAccess: {2}to
dn.base="cn=Subschema" by users read
存檔後來執行套用:
ldapmodify -Y EXTERNAL -H ldapi:// -f xxx.ldif
成功執行會長這樣↓
然後要來驗證一下修得如何,首先看一下LDAP Browser,恩 看起來挺好的,好像什麼都看不到了。
不過呢,ldapsearch -x -s base -b '' -H ldap://127.0.0.1 "(objectClass=*)"
"*" + 還是可以執行,只有改用-s sub的會失敗。
ˊ_>ˋ
我在想或許是LDAPv3的關係。
Part 2: LDAP Anonymous bind(Null bind)
弱點描述:
允許Null bind會造成資訊洩漏。
~
The LDAP server on the remote host is currently configured such
that a
user can connect to it without authentication - via a 'NULL BIND' -
and query it for information. Although the queries that are allowed
are likely to be fairly restricted, this may result in disclosure of
information that an attacker could find useful.
This plugin does not identify servers that use LDAP v3 since
anonymous access -- a 'NULL BIND' -- is required by that version
of the protocol.
user can connect to it without authentication - via a 'NULL BIND' -
and query it for information. Although the queries that are allowed
are likely to be fairly restricted, this may result in disclosure of
information that an attacker could find useful.
This plugin does not identify servers that use LDAP v3 since
anonymous access -- a 'NULL BIND' -- is required by that version
of the protocol.
~
如何測試?
ldapsearch -H
ldap://127.0.0.1 -x
沒錯就是用-x
↑這樣就是有允許
解法:
停用Anonymous Bind及Anonymous Access:這個方法也可用在null base
search + anonymous bind的情況,直接關閉Anonymous
Bind及Anonymous Access就可以解決公開暴露資訊的情況。
這邊一樣使用 ldif:
[停用Anonymous Bind]
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
[不允許Anonymous Access]
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
上面這兩個設定,可直接放在同一個 ldif 裡,如下:
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
-
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
再次執行ldapmodify來套用設定。
此時再測一次,喔喔!不行囉~
經測試後發現一些現象:
1.
我這台OpenLDAP確實可用null base search,但我用Nessus掃(Policy Basic Network Scan, Advanced Scan都試過)卻沒掃出弱點(只有一些Info)。
2.
用Nmap ldap-search測時,若只停用Anonyomous bind還是可以掃到資訊,要一併停止允許Anonymous
Access才行。
停用Anonymous Access前:
停用Anonymous Access後:
(↑使用Part 1的修補方法也可以達成上面效果)
補充:較舊版本的修補方式
/etc/openldap/slapd.conf 加入
disallow bind_anon
require authc
就在這邊告一段落了,因為真的不太熟,所以可能有些現象屬正常我也不知道。
之後有時間再來好好K一下了,這次真的花了不少天查資料做實驗。=___=
---
Turnkey Openldap 14.1 jessie amd64
Softerra LDAP Browser 4.5 (64-bit)
---
參考資料:
沒有留言:
張貼留言