Listen to this Post
The vulnerability in the `python-ldap` library resides in the `ldap.filter.escape_filter_chars` function when the non-default `escape_mode=1` is used. This function is designed to sanitize user input for LDAP search filters by escaping special characters like , `(`, `)`, and `/` with a backslash and their two-digit hexadecimal code (e.g., becomes \2a). However, when `escape_mode=1` is active, the function fails to properly handle input that is a list or dictionary data type. Instead of raising an exception or recursively escaping the contents, it incorrectly attempts to process the entire list or dict as a string. This processing flaw causes the function to simply return the string representation of the list or dict without applying any escaping to the special characters contained within. Consequently, if an application passes user-controlled list or dictionary data to this function, the unescaped special characters can be injected directly into the LDAP filter, allowing an attacker to modify the filter’s logic and potentially gain unauthorized access to or manipulation of directory data.
Platform: python-ldap
Version: < 3.4.4
Vulnerability: LDAP Injection
Severity: Critical
date: 2024-10-15
Prediction: Patch 2024-10-29
What Undercode Say:
pip list | grep ldap python3 -c "import ldap.filter; print(ldap.filter.escape_filter_chars([''], escape_mode=1))"
Vulnerable Code Snippet user_input = request.get_json() Could be a list or dict filter_str = "(cn=" + ldap.filter.escape_filter_chars(user_input, escape_mode=1) + ")"
How Exploit:
Crafted Payload to bypass authentication injection_payload = [")(uid=))(|(uid="] Results in filter: (cn=)(uid=))(|(uid=) This may return all users instead of one.
Protection from this CVE
Upgrade python-ldap
Input type checking
Use default escape_mode=0
Validate user input
Impact:
LDAP Data Manipulation
Information Disclosure
Authorization Bypass
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
