LDAP Account Manager Bug presents unauthenticated remote code execution threat

During an internal penetration test, an unauthenticated arbitrary objects instantiation vulnerability was discovered in LDAP Account Manager.

LAM is a PHP web app that allows you to manage entries, such as users, groups or DHCP settings, in LDAP directories. It is also one of the alternatives for FreeIPA. It is included in Debian repositories.

However, a flaw discovered by Arseniy Shahlazov could enable an attacker to create arbitrary items and achieve remote code execution(RCE) in a single request and without any out of-band connections.

Construction under construction

This technique relies on the use of the construction new $a ($b) variable. $a stands for the class name for which the object will be created, while $b is the variable that indicates the first argument that will be passed to the object’s constructor.

You can use either good or poor programming practices when you code in any programming language. Sharoglazov says that the use of the construction $a($b), which instantiates arbitrarily objects, is bad programming practice if $a or $b are not controlled input.” The Daily Swig.

It’s a dangerous construction. It’s not dangerous but no one has shown it to be so people believe that everything should be fine.

The technique does require the Imagick extension. However, he said that this extension is often present on larger websites, such as the LAM system.

Sharoglazov claims that similar arbitrary-object instantiation vulnerabilities exist for a long time, but aren’t often reported as such.

You might see a SSRF in commercial software. You would know that the PoC is an arbitrary object instantiation using the SoapClient classes, if you were to look at it. He says that it will only be SSRF for the general public.

“Or you might read about an SQL injection. It’s an arbitrary object instantiation that is exploited using a user-defined type with an SQL injection. This is how I discovered and described the technique to exploit an arbitrarily instantiated object directly to RCE.

Coordinated disclosure

Sharoglazov claims that the disclosure process was smooth and efficient. The flaw was first reported by Sharoglazov on 16 June. LAM 8.0.1 was released on June 29. Debian packages were updated on July 5 and public disclosure took place on July 14.

He says, “I wrote Roland Gruber, the creator of LAM, and received an initial reply within one hour.”

“We talked about the vulnerability and hardening that will make LAM more secure. We then did a joint disclosure with Debian and him.”

Leave a Reply

Your email address will not be published. Required fields are marked *