Reported June 25, 2001, by Russ Cooper and Jon McDonald.
LDAP over SLL Password Change Vulnerability in Windows 2000 Server, Windows Advanced Server, and Windows Datacenter Server
A vulnerability exists involving a Lightweight Directory Access Protocol (LDAP) function that is available only if the LDAP server has been configured to support LDAP over Secure Socket Layer (SSL) sessions. The purpose of this function is to let users change the data attributes of directory principals. By design, the function should check the user's authorizations before completing the request. However, the function contains an error that manifests itself only when the directory principal is a domain user and the data attribute is the domain password. In this case, the function fails to check the requester's permissions, resulting in the possibility that a malicious user can change any other user’s domain logon password.
By design, any user who can connect to the LDAP server can also call the function affected, including users who connect through anonymous sessions. As a result, any user who can establish a connection with an affected server can exploit the vulnerability.
The vendor, Microsoft has released security bulletin MS01-036 for this vulnerability, and the company recommends that Win2K Server and Win2K AS users immediately apply the patch mentioned in the bulletin. Patches for Win2K Datacenter are hardware specific, and are available only through the original equipment manufacturer.