SafeBreach publishes PoC exploit for critical Microsoft flaws called LDAPNightmare
Take action: If you are still delaying patching your Windows computers and servers with the December 2024 patch, here's a motivator. A critical flaw that can be automatically exploited just got a public instruction manual for exploitation. It's going to take hackers less than a week before the weaponize it and start attacking. Patch. NOW.
Learn More
SafeBreach Labs researchers have published a Proof-of-Concept exploit for two critical flaws that affect Windows Server systems through the Lightweight Directory Access Protocol (LDAP) implementation. The exploit is dubbed LDAPNightmare.
The vulnerabilities are tracked as CVE-2024-49112 (CVSS score 9.8) and CVE-2024-49113 (CVSS score 7.5), and patched in the December 2024 Microsoft update. It allows unauthenticated attackers to potentially execute arbitrary code within the LDAP service context. The proof of concept confirms that it's affecting not just Domain Controllers but all unpatched Windows Servers, with the only prerequisite being DNS server connectivity to the internet.
The exploit also e
The vulnerability's exploitation mechanism is a seven-step attack chain that ultimately results in crashing the Local Security Authority Subsystem Service (LSASS) process and forcing a server reboot. Attack Flow Sequence
- Attacker initiates DCE/RPC request to victim server
- Victim server triggers DNS SRV query about a domain - in the PoC it's SafeBreachLabs.pro
- Attacker's DNS server responds with attacker's hostname and LDAP port
- Victim broadcasts NBNS request for attacker's hostname IP
- Attacker responds with NBNS containing their IP address
- Victim initiates LDAP client connection and sends CLDAP request
- Attacker sends specifically crafted CLDAP referral response causing LSASS crash
Testing conducted by SafeBreach Labs has confirmed the vulnerability's presence in multiple Windows Server versions, including Windows Server 2022 (DC) and Windows Server 2019 (non-DC). Successful exploitation could potentially lead to complete system compromise and providing attackers with a significant foothold in enterprise networks.
The research team has developed a proof-of-concept exploit that organizations can use to test their systems' vulnerability, though this should only be done in controlled, isolated environments. The exploit demonstrates that unpatched systems can be compromised through a zero-click attack vector, so no action is required for the server to be compromised.
Organizations are strongly advised to implement Microsoft's security patch immediately.
