Function Exposed via LDAP over SSL Could Enable Passwords to be Changed New

A security vulnerability exists in Windows 2000 when the LDAP server has been configured to support secure LDAP over SSL.

Issue

This vulnerability involves an LDAP function that is only available if the LDAP server has been configured to support LDAP over SSL sessions, and whose purpose is to allow users to change the data attributes of directory principals. By design, the function should check the authorizations of the user before completing the request; however, it contains an error that manifests itself only when the directory principal is a domain user and the data attribute is the domain password -- when this is the case, the function fails to check the permissions of the requester, with the result that it could be possible for a user to change any other user’s domain login password.

An attacker could change another user’s password for either of two purposes: to cause a denial of service by preventing the other user from logging on, or in order to log into the user’s account and gain any privileges the user had. Clearly, the most serious case would be one in which the attacker changed a domain administrator’s password and logged into the administrator’s account.

By design, the function affected can be called by any user who can connect to the LDAP server, including users who connect via anonymous sessions. As a result, any user who could establish a connection with an affected server could exploit the vulnerability.

Affected Products

• Microsoft Windows 2000

Download

Patch: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31065

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: July 9, 2001

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<