SafeBreach Labs’ researchers unveiled a proof-of-concept (PoC) exploit for a critical vulnerability in Windows Lightweight Directory Access Protocol (LDAP), tracked as CVE-2024-49112.
The flaw, disclosed by Microsoft on December 10, 2024, during its Patch Tuesday update, carries a CVSS severity score of 9.8 and poses a significant risk to enterprise networks.
CVE-2024-49112 is a remote code execution (RCE) vulnerability that affects Windows servers, including Domain Controllers (DCs). DCs are critical components in organizational networks as they manage authentication and user privileges.
Exploiting this flaw could allow attackers to crash unpatched servers or execute arbitrary code within the context of the LDAP service, potentially compromising entire domains.
The vulnerability stems from an integer overflow in LDAP-related code. An unauthenticated attacker can exploit it by sending specially crafted RPC calls to trigger malicious LDAP queries. If successful, this could lead to server crashes or further exploitation for RCE.
PoC Released for CVE-2024-49112
SafeBreach Labs developed a zero-click PoC exploit, dubbed “LDAPNightmare,” demonstrating the criticality of CVE-2024-49112. The exploit crashes unpatched Windows servers by leveraging the following attack flow:
- An attacker sends a DCE/RPC request to the victim server.
- The victim queries the attacker’s DNS server for information.
- The attacker responds with a hostname and LDAP port.
- The victim sends an NBNS broadcast to locate the attacker’s hostname.
- The attacker replies with its IP address.
- The victim becomes an LDAP client and sends a CLDAP request to the attacker’s machine.
- The attacker sends a malicious referral response, causing LSASS (Local Security Authority Subsystem Service) to crash and reboot the server.
SafeBreach verified that Microsoft’s patch effectively mitigates this vulnerability by addressing the integer overflow issue.
The vulnerability affects all versions of Windows Server prior to patching, including Windows Server 2019 and 2022. Exploitation could enable attackers to take control of domain environments, making them a prime target for ransomware gangs and other threat actors.
Organizations are urged to:
- Apply Microsoft’s December 2024 patch immediately.
- Monitor for suspicious DNS SRV queries, CLDAP referral responses, and DsrGetDcNameEx2 calls until patching is complete.
- Test their environments using SafeBreach’s PoC tool, which is available on GitHub.
The release of this PoC highlights the urgency of addressing CVE-2024-49112. While SafeBreach’s research underscores the vulnerability’s potential impact, it also provides organizations with tools to verify their defenses.
Microsoft has already released patches for the vulnerability; Enterprises must prioritize patching and implement robust monitoring to safeguard critical infrastructure against exploitation.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free