PoC Released for Critical Windows LDAP Zero-Click RCE

First addressed by Microsoft on December 10, 2024, as part of its monthly Patch Tuesday updates, this vulnerability has been assigned a critical CVSS score of 9.8, underlining the serious threat it poses to enterprise environments.

CVE-2024-49112, a remote code execution (RCE) flaw, primarily impacts Windows servers, including Domain Controllers (DCs). These servers play an essential role in managing network authentication and user access.

This vulnerability could enable attackers to disrupt unpatched servers by causing crashes or running arbitrary code within the LDAP service, potentially leading to full domain compromise.

The issue arises from an integer overflow in the LDAP-related code. By sending specifically crafted RPC requests, an unauthenticated attacker can initiate malicious LDAP queries. If exploited, this flaw could result in server instability or be leveraged to achieve remote code execution (RCE).

Proof-of-Concept Released for CVE-2024-49112

SafeBreach Labs has unveiled a zero-click proof-of-concept (PoC) exploit, named "LDAPNightmare," to highlight the severity of CVE-2024-49112. This exploit demonstrates how unpatched Windows servers can be crashed using the following attack sequence:

1. The attacker initiates the process by sending a DCE/RPC request to the targeted server.
2. The target server queries the attacker's DNS server for additional details.
3. In response, the attacker provides a hostname and LDAP port.
4. The victim server then broadcasts an NBNS request to resolve the attacker’s hostname.
5. The attacker replies with their IP address.
6. The victim server, now acting as an LDAP client, sends a CLDAP request to the attacker's machine.
7. The attacker delivers a malicious referral response, triggering a crash in the LSASS (Local Security Authority Subsystem Service) and forcing the server to reboot.

This attack flow highlights the risk posed by the vulnerability.