KACE LDAP Bind Credential Exposure

The (known) affected software version is 9.0.146 of both the KACE Systems Deployment and Remote Site appliances.

When I’m working on any pentest and gain access to the admin console of any web application through default credentials, I always check for LDAP (typically Active Directory) authentication settings. You’ll usually find this on internal pentests. If you find LDAP auth configured, check to see if you can change the LDAP server to your IP or hostname, then click “Test” without saving the change. If you have nc running nc -nlvp 389 and are successful in changing the setting, you may capture the LDAP credentials in cleartext. This is known as a ‘passback attack’. I’ve found this a few times in web applications and very frequently the system administrator has used a privileged Active Directory account (Domain Admins) and you gain those credentials. I’ve even seen this from a Xerox printer that was exposed to the Internet and my coworker abused it to gain Domain Admin on an external pentest.

An authenticated user may edit the LDAP service configuration user authentication settings and change the server host name or IP address to an attacker-controlled system, click the “Test Settings” button, and capture the plaintext credentials. The captured credentials may provide a malicious actor with a higher privilege level on the Active Directory domain. This is relevant to CWE-306: Missing Authentication for Critical Function.

It’s also important to note that these applicances ship with default credentials which could allow an unauthorized user to gain access to LDAP (Active Directory) credentials. It could also allow an authorized user of the KACE system to gain access to an account with a higher privilege level. Unfortunately, system administrators often use over-privileged Active Directory accounts such as those belonging to the “Domain Admins” group far too often in my experience. This has allowed me to capture Domain Admin credentials on a few occasions.

To remediate the vulnerability, the appliance should require that the LDAP bind credential password is reentered when altering the LDAP authentication configuration.

A malicious actor can change the server hostname or IP address and LDAP port number and click the ‘Test Settings’ button, without being prompted to verify the currently configured credentials:

On the attacker system the credentials are captured in plaintext:

KACE was notified of the vulnerability on 12/14/2022 and assigned case number 01963520. While KACE has stated that they plan to remediate the vulnerability in an upcoming release, it has not been fixed as of the time this article was published.

Update 5/21/2023: MITRE assigned CVE-2023-33254 to this vulnerability.

Written on May 8, 2023