Windows 2000 LDAP over SSL Password Change Vulnerability

Reported June 25, 2001, by RussCooper and Jon McDonald.

VERSIONS AFFECTED

DESCRIPTION
Avulnerability exists involving a Lightweight Directory Access Protocol (LDAP)function that is available only if the LDAP server has been configured tosupport LDAP over Secure Socket Layer (SSL) sessions. The purpose of thisfunction is to let users change the data attributes of directory principals. Bydesign, the function should check the user's authorizations before completingthe request. However, the function contains an error that manifests itself onlywhen the directory principal is a domain user and the data attribute is thedomain password. In this case, the function fails to check the requester'spermissions, resulting in the possibility that a malicious user can change anyother user’s domain logon password.

By design, any user who can connect to the LDAPserver can also call the function affected, including users who connect throughanonymous sessions. As a result, any user who can establish a connection with anaffected server can exploit the vulnerability.

VENDOR RESPONSE

Thevendor, Microsofthas released security bulletin MS01-036for this vulnerability, and the company recommends that Win2K Server andWin2K AS users immediately apply the patchmentioned in the bulletin. Patches for Win2K Datacenter are hardwarespecific, and are available only through the original equipment manufacturer.

CREDIT
Discovered by JonMcDonald and Russ Cooper.