Listen to this Post
The vulnerability exists because Lemur’s LDAP authentication module (lemur/auth/ldap.py) constructs search filters using Python string interpolation without sanitizing user input. An authenticated LDAP user can inject metacharacters via the `username` field in the POST `/auth/login` request, altering the LDAP query logic. The flaw occurs in two places. First, in the `_bind()` method around line 161, the filter `userPrincipalName=%s` is built directly from self.ldap_principal, which is derived from args["username"]. No call to `ldap.filter.escape_filter_chars()` is made. Second, the Active Directory group lookup filter around line 189 uses groupfilter = "(&(objectclass=group)(member:1.2.840.113556.1.4.1941:={}))".format(userdn), where `userdn` comes from the unsanitized LDAP response. Because the initial `simple_bind_s()` succeeds first, the attacker needs valid LDAP credentials—making this a post‑authentication privilege escalation. By injecting a crafted payload such as validuser)(memberOf=CN=LemurAdmins,DC=corp,DC=example,DC=com, the attacker manipulates the group membership query to return arbitrary groups, including the `admin` role. This grants unauthorized access to all certificates, private keys (/certificates/<id>/key), and CA configurations, allowing certificate issuance under any authority.
DailyCVE form:
Platform: Lemur
Version: versions before fix
Vulnerability: LDAP injection
Severity: Critical
Date: 2024-04-15 (example)
Prediction: 2024-05-01
What Undercode Say:
Simulate vulnerable LDAP filter construction (Python)
username = "validuser)(memberOf=CN=LemurAdmins,DC=corp,DC=example,DC=com"
ldap_principal = f"{username}@corp.example.com"
filter1 = f"userPrincipalName={ldap_principal}"
print(filter1)
Output: userPrincipalName=validuser)(memberOf=CN=LemurAdmins,DC=corp,DC=example,[email protected]
Exploit request using curl
curl -X POST https://lemur.example.com/auth/login \
-H "Content-Type: application/json" \
-d '{"username":"validuser)(memberOf=CN=LemurAdmins,DC=corp,DC=example,DC=com","password":"validpassword"}'
Exploit:
Craft a username containing `)(memberOf=CN=LemurAdmins,DC=corp,DC=example,DC=com` after a valid username prefix. The LDAP server may interpret the injected filter as an additional OR condition, causing the group membership check to return true for the attacker. The attacker then logs in with a valid password, and Lemur assigns the admin role based on the falsified group query.
Protection from this CVE:
Apply `ldap.filter.escape_filter_chars()` to all user‑controlled input before interpolation. In lemur/auth/ldap.py:
from ldap.filter import escape_filter_chars
ldap_filter = "userPrincipalName=%s" % escape_filter_chars(self.ldap_principal)
groupfilter = "(&(objectclass=group)(member:1.2.840.113556.1.4.1941:={}))".format(escape_filter_chars(userdn))
Upgrade to a patched version of Lemur when available.
Impact:
Unauthenticated? No – requires valid LDAP credentials. Authenticated low‑privileged LDAP users can escalate to full administrator rights, leading to complete compromise of the certificate management system, exfiltration of private keys, and unauthorized certificate issuance across the entire organization.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
