Skip to content

Commit

Permalink
Escape LDAP query strings
Browse files Browse the repository at this point in the history
  • Loading branch information
zeroSteiner committed Jun 18, 2024
1 parent 5992dce commit 28f05f0
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 3 deletions.
9 changes: 9 additions & 0 deletions lib/msf/core/exploit/remote/ldap.rb
Original file line number Diff line number Diff line change
Expand Up @@ -309,5 +309,14 @@ def validate_query_result!(query_result, filter=nil)
end
end
end

# Return a string suitable for placement in an LDAP filter
# e.g. (certificateTemplates=#{ldap_escape_string(name)})
#
# @param string String The string to escape.
# @return The escaped string.
def ldap_escape_string(string)
string.gsub(/[\\*()]/) { |char| '\\' + char.ord.to_s(16) }
end
end
end
6 changes: 3 additions & 3 deletions modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,7 @@ def query_ldap_server_certificates(esc_raw_filter, esc_name)
def convert_sids_to_human_readable_name(sids_array)
output = []
for sid in sids_array
raw_filter = "(objectSID=#{sid})"
raw_filter = "(objectSID=#{ldap_escape_string(sid.to_s)})"
attributes = ['sAMAccountName', 'name']
base_prefix = 'CN=Configuration'
sid_entry = query_ldap_server(raw_filter, attributes, base_prefix: base_prefix) # First try with prefix to find entries that may be group specific.
Expand Down Expand Up @@ -344,7 +344,7 @@ def find_enrollable_vuln_certificate_templates
# have permissions to enroll in certificates on each server.

@vuln_certificate_details.each_key do |certificate_template|
certificate_enrollment_raw_filter = "(&(objectClass=pKIEnrollmentService)(certificateTemplates=#{certificate_template}))"
certificate_enrollment_raw_filter = "(&(objectClass=pKIEnrollmentService)(certificateTemplates=#{ldap_escape_string(certificate_template.to_s)}))"
attributes = ['cn', 'dnsHostname', 'ntsecuritydescriptor']
base_prefix = 'CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration'
enrollment_ca_data = query_ldap_server(certificate_enrollment_raw_filter, attributes, base_prefix: base_prefix)
Expand Down Expand Up @@ -418,7 +418,7 @@ def get_pki_object_by_oid(oid)

if pki_object.nil?
pki_object = query_ldap_server(
"(&(objectClass=msPKI-Enterprise-Oid)(msPKI-Cert-Template-OID=#{oid}))",
"(&(objectClass=msPKI-Enterprise-Oid)(msPKI-Cert-Template-OID=#{ldap_escape_string(oid.to_s)}))",
nil,
base_prefix: 'CN=OID,CN=Public Key Services,CN=Services,CN=Configuration'
)&.first
Expand Down
10 changes: 10 additions & 0 deletions spec/lib/msf/core/exploit/remote/ldap_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,16 @@
end
end

describe '#ldap_escape_string' do
let(:string) do
'John Doe (Developer) *'
end

it do
expect(subject.ldap_escape_string(string)).to eq("John Doe \\28Developer\\29 \\2a")
end
end

describe '#resolve_connect_opts' do
let(:cred) do
'I am a cred'
Expand Down

0 comments on commit 28f05f0

Please sign in to comment.