2

I have been tasked with investigating some possible security holes in an application, one that I have come across is that when the system is configured to use Ldap it takes the unencoded username and password, creates a NetworkCredentials (System.net) object and then passes that to an LdapConnection (System.DirectoryServices.Protocols).

If the username and/or password is left unencoded this would obviously be a security hole for an injection based attack, so my query is: do the .NET classes handle this behind the scenes or do I need to deal with it before it reaches them.

ReiMasuro
  • 313
  • 3
  • 14
  • Read this: https://msdn.microsoft.com/en-us/library/system.directoryservices.authenticationtypes.aspx – JuanR Nov 29 '16 at 15:14
  • Interesting reading, but doesn't appear to be relevant to my question as it talks about authentication rather than encoding. Thanks anyway. – ReiMasuro Nov 29 '16 at 15:20
  • You mentioned the NetworkCredentials object. That IS authentication. The link I sent you essentially tells you how to configure the options so you can encrypt the credentials. – JuanR Nov 29 '16 at 15:24
  • True, but encrypting won't help against someone entering an injection attack in the username field, encoding to escape control characters will. None of the flags in that article deal with that unfortunately and I don't know if the classes deal with it by default or not. – ReiMasuro Nov 29 '16 at 15:29
  • I see what you mean. Well, you can always try it and see what happens. Here is another link that although a bit old, it may point you in the right direction: https://blogs.msdn.microsoft.com/securitytools/2009/08/10/ldap-injection-and-mitigation/ – JuanR Nov 29 '16 at 15:44

1 Answers1

1

No, if you trace through the source code for System.DirectoryServices.Protocols, you'll find that it does not do any LDAP encoding. If you are operating on user input, you will need to escape the proper DN or query strings yourself.

For other answers on escaping LDAP input, see Escaping non special characters in string for LDAP query.

iinuwa
  • 444
  • 4
  • 14