Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GO]: [CWE-090: LDAP Injection All For One] #464

Closed
1 task done
pupiles opened this issue Oct 29, 2021 · 21 comments
Closed
1 task done

[GO]: [CWE-090: LDAP Injection All For One] #464

pupiles opened this issue Oct 29, 2021 · 21 comments
Labels
All For One Submissions to the All for One, One for All bounty

Comments

@pupiles
Copy link

pupiles commented Oct 29, 2021

Query

Relevant PR: github/codeql-go#596

Report

Constructing LDAP names or search filters directly from tainted data enables attackers to inject specially crafted values that changes the initial meaning of the name or filter itself. Successful LDAP injections attacks can read, modify or delete sensitive information from the directory service.

This query identifies cases in which a LDAP query executes user-provided input without being sanitized before.

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Result(s)

Provide at least one useful result found by your query, on some revision of a real project.

@pupiles pupiles added the All For One Submissions to the All for One, One for All bounty label Oct 29, 2021
@pupiles pupiles changed the title [USERNAME]: [SUMMARY] [GO]: [CWE-090: LDAP Injection All For One] Oct 29, 2021
@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Generate Query Results.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

@porcupineyhairs
Copy link

@pupiles Didn't Ldap.v3 escape all filter's by default? Have to tried exploiting the case you link above?

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status FP Check.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

@pupiles
Copy link
Author

pupiles commented Oct 29, 2021

@porcupineyhairs I haven't set up the environment and tried the exploitation to the link above yet, but I just tested Ldap.v3 in this repo vuLnDAP with replacing ldap.v2 to ldap.v3 and the exploitation still worked, so ldap.v3 should still be vulnerable.

@pwntester
Copy link
Contributor

@pupiles please take into account that for the query to be eligible for a bounty, it has to find a CVE (either yours or past one). You can still submit this CVE

@pupiles
Copy link
Author

pupiles commented Nov 2, 2021

@pwntester CVE-2021-41232

@pwntester
Copy link
Contributor

@pupiles
Copy link
Author

pupiles commented Nov 3, 2021

Yes, i think these are the sanitizers function because all the dangerous chars such as */() will be blocked

@pwntester
Copy link
Contributor

Can you please modify your query to account for it? I multiple results flowing through the same sanitizer

@pupiles
Copy link
Author

pupiles commented Nov 4, 2021

yeah I just pushed the commit with some new sanitizers, please check it.

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Generate Query Results.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status FP Check.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status CodeQL review.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status SecLab finalize.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

@xcorail
Copy link
Contributor

xcorail commented Nov 10, 2021

Hey @pupiles could you please provide a public email or send me privately one? Thanks

@pupiles
Copy link
Author

pupiles commented Nov 11, 2021

Hi @xcorail ,
pupiles86@gmail.com

@xcorail
Copy link
Contributor

xcorail commented Nov 11, 2021

Created Hackerone report 1397942 for bounty 348986 : [464] [GO]: [CWE-090: LDAP Injection All For One]

@xcorail xcorail closed this as completed Nov 11, 2021
@ghsecuritylab
Copy link
Collaborator

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
All For One Submissions to the All for One, One for All bounty
Projects
None yet
Development

No branches or pull requests

5 participants