A newly released proof-of-concept (PoC) exploit, dubbed LDAPNightmare, targets a now-patched security vulnerability in Windows Lightweight Directory Access Protocol (LDAP), potentially causing a denial-of-service (DoS) attack on unpatched systems.
CVE-2024-49113: A High-Severity Security Flaw
The vulnerability, identified as CVE-2024-49113 with a CVSS score of 7.5, allows attackers to perform out-of-bounds reads, leading to system crashes. Microsoft addressed this issue in the December 2024 Patch Tuesday updates, alongside CVE-2024-49112 (CVSS score: 9.8), a critical integer overflow flaw in the same component that enables remote code execution (RCE).
Both vulnerabilities were discovered and reported by independent security researcher Yuki Chen (@guhe120).
LDAPNightmare PoC: Impact and Exploitation
Security researchers at SafeBreach Labs developed the LDAPNightmare PoC, which can crash any unpatched Windows Server without requiring prior authentication—provided the victim's DNS server has internet connectivity.
The exploit works by sending a DCE/RPC request to the target server, which then triggers the Local Security Authority Subsystem Service (LSASS) crash, forcing an automatic reboot. This is achieved using a specially crafted CLDAP referral response packet.
Even more concerning, SafeBreach Labs found that this attack method could be modified to achieve remote code execution (RCE) by leveraging CVE-2024-49112, allowing an attacker to execute arbitrary code within the LDAP service.
Microsoft's Response and Security Advisory
Microsoft has provided limited technical details on CVE-2024-49113 but confirmed that CVE-2024-49112 could be exploited via RPC requests from untrusted networks to execute arbitrary code. The company outlined two primary attack vectors:
Exploiting a domain controller for an LDAP server: An attacker sends malicious RPC calls to force a lookup of their domain by the target system.
Targeting an LDAP client application: The attacker tricks the victim into performing a domain controller lookup for the attacker's domain or connecting to a malicious LDAP server. However, unauthenticated RPC calls are not successful in this case.
Additionally, attackers could use an RPC connection to force a domain controller lookup operation against their domain, further expanding the attack surface.
Mitigation and Security Recommendations
Organizations should apply the December 2024 security patches from Microsoft to mitigate these vulnerabilities. If immediate patching is not feasible, security teams should implement the following detection strategies:
Monitor suspicious CLDAP referral responses, particularly those with known malicious values.
Track DsrGetDcNameEx2 function calls for anomalous behavior.
Observe DNS SRV queries that may indicate exploitation attempts.
By proactively applying security patches and implementing real-time threat detection, enterprises can safeguard their Windows Server environments from LDAPNightmare and related attack vectors.