PoC exploit released for Windows zero-click vulnerability CVE-2024-49112

A Proof-of-Concept (PoC) exploit has been made available for the zero-click vulnerability, identified as CVE-2024-49112, affecting Windows systems.

1/2/20252 min read

SafeBreach Labs uncovers "LDAP Nightmare," a critical zero-click vulnerability (CVE-2024-49112) in Windows LDAP. This flaw, with a CVSS score of 9.8, poses a significant threat to enterprise networks. The researchers demonstrated how this vulnerability could crash Windows Servers, including crucial Active Directory Domain Controllers (DCs).

Disclosed on December 10, 2024, during Microsoft's Patch Tuesday, CVE-2024-49112 is an RCE vulnerability within LDAP, a core component of Microsoft's Active Directory responsible for directory services communication. As the SafeBreach Labs team highlighted, compromising DCs can severely impact network security.

While Microsoft acknowledged the risk, details on exploiting the vulnerability were limited until SafeBreach's in-depth analysis. The researchers emphasized their commitment to helping enterprises address this critical issue, stating, "We decided as a team to prioritize it and are proud of the findings we have identified that will help enterprises address any potential exposures,"

SafeBreach developed a proof-of-concept (PoC) exploit demonstrating the CVE-2024-49112 vulnerability’s impact. Their findings show that the exploit:

  • Requires no authentication or pre-requisites, aside from Internet connectivity for the DNS server.

  • Can crash unpatched Windows Servers by triggering an LSASS (Local Security Authority Subsystem Service) crash via LDAP queries.

The exploitation process involves:


Sending a DCE/RPC request to the victim server.

  1. Triggering a DNS SRV query about a domain controlled by the attacker.

  2. Manipulating NetBIOS and CLDAP responses to redirect the victim to the attacker’s LDAP server.

  3. Using a crafted LDAP referral response to crash the victim’s LSASS and force a reboot.

SafeBreach highlighted the technical in their findings: “The condition checks whether the ‘lm_referral’ value is inside the range of the ‘referral table’. In the vulnerable version without the patch, this ‘lm_referral’ value is indeed used to access a certain offset inside the referral table.”

This vulnerability impacts all unpatched Windows Server versions between 2019 and 2022. Successful exploitation carries severe consequences, potentially allowing attackers to completely compromise domain resources or cause disruptions to critical infrastructure.

To mitigate the risk, organizations should:

  • Apply Microsoft’s patch immediately. SafeBreach verified that the patch effectively prevents exploitation.

  • Monitor for suspicious activity, such as anomalous CLDAP referral responses, DsrGetDcNameEx2 calls, or DNS SRV queries.

SafeBreach released Proof-Of-Concept script that tests a vulnerable Windows Server against CVE-2024-49112, available on their Github Repository.

https://github.com/SafeBreach-Labs/CVE-2024-49113

Stay Safe! Stay Secure!

Checkout our VAPT services: https://www.vaptern.com/services

Security

Expert assessments to safeguard your business assets.

Protect

Audit

contact@vaptern.com

+91-8122146542

© 2024. All rights reserved.