Posts Tagged ‘Ldap’
[DefCon32] MaLDAPtive: Obfuscation and De-Obfuscation
Directory services, foundational to enterprise security, harbor overlooked evasion potentials. Daniel Bohannon and Sabajete Elezaj unveil MaLDAPtive, a framework born from exhaustive LDAP research. Daniel, a principal threat researcher at Permiso Security, and Sabajete, a senior cyber security engineer at Solaris SE, dissect obfuscation techniques across LDAP elements, empowering both attackers and defenders.
Their journey traces Active Directory’s evolution since 2000, intertwined with LDAP’s protocol roots from the 1980s. Tools like BloodHound amplified LDAP’s offensive utility, yet detection lags, often signature-bound in costly solutions.
MaLDAPtive, a 2,000-hour endeavor, features a custom tokenizer and parser, enabling unprecedented obfuscation and de-obfuscation. They categorize techniques: distinguished name manipulations via encodings, attribute tricks with wildcards, and filter obfuscations leveraging operators.
Historical Context and LDAP Components
Daniel recounts LDAP’s standardization in 1993, with Active Directory adopting it in 2000. Queries comprise bases, scopes, filters—ripe for evasion.
Distinguished names (DNs) encode via UTF-8, hex, or escapes, bloating logs. Attributes exploit aliases like “cn” for “name,” while filters layer parentheses and negations.
Their parser tokenizes queries, revealing incompatibilities undocumented elsewhere.
Advanced Obfuscation Techniques
Sabajete details filter intricacies: extensible matches with OIDs, reversing attributes for efficiency. They uncover zero-padding in OIDs, undocumented wildcards in values.
Tool-generated examples expose anomalies, like hex encoding bans in certain filters. MaLDAPtive automates these, generating evasive queries while preserving semantics.
Defensively, de-obfuscation normalizes queries, aiding detection. They critique static signatures, advocating behavioral analytics.
Detection and Framework Release
MaLDAPtive’s detection module identifies anomalies via token analysis, flagging excessive nesting or encodings.
Demonstrations showcase obfuscated queries evading simplistic tools, yet normalized by their framework.
Releasing openly, they equip communities to fortify defenses, transforming LDAP from lightweight to robustly secured.
Their work bridges offensive ingenuity with defensive resilience, urging deeper protocol scrutiny.
Links:
Delete changelog.data?
This morning I tried to save some space in my computer. I found a file changelog.data in the folder <domain>\admin\data\ldap\ldapfiles of which size was more than 7 Go… This file is used by WebLogic, but I don’t know for which purpose.
I performed a head command on it, here is the output:
☻ U♠cn=urn@Lbea@Lxacml@L2.0@Lentitlement@Lresource@Ltype@AE@AFurl@AG@AM@AOapplication@AEconsoleapp@AM@AOcontextPath@AE@AUconsole@AM@AOuri@AE@AU@AK+xacmlVersion=1.0,ou=Policies,ou=XACMLAuthorization,ouv"xacmlDocument☺er♠OrH~'<?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" PolicyId="urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U@K" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"><Description>Rol(Admin,Operator,Deployer,Monitor)</Description><Target><Resources><Resource><ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">type=<url>, application=consoleapp, contextPath=/console, uri=/*</AttributeValue><ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/></ResourceMatch></Resource></Resources></Target><Rule RuleId="primary-rule" Effect="Permit"><Condition><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Admin</AttributeValue><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Operator</AttributeValue><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Deployer</AttributeValue><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Monitor</AttributeValue></Apply><SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string"/></Apply></Condition></Rule><Rule RuleId="deny-rule" Effect="Deny"></Rule></Policy> ♂ gUxacmlStatus☺ ☺ ♥3 E☻♫ ƒ♫wlsXmlFragment☺A÷<WLSPolicytwmodifiersName☺nf$☻D§cn=admin☻ #â♠cn=urn@Lbea@Lxacml@L2.0@Lentitlement@Lresource@Ltype@AE@AFurl@AG@AM@AOapplication@AEconsoleapp@AM@AOcontextPath@AE@AUconsole@AM@AOuri@AE@AUimages@AU@AK+xacmlVersionv"xacmlDocument☺,o♥AX)¿k<?xml version="1.0" encoding="UTF-8"?> ♥_☻ <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" PolicyId="urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@Uimages@U@K" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"><Description>?weblogic.entitlement.rules.UncheckedPolicy()</Description><Target><Resources><Resource><ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">type=<url>, application=consoleapp, contextPath=/console, uri=/images/*</AttributeValue><ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/></ResourceMatch></Resource></Resources></Target><Rule RuleId="unchecked-policy" Effect="Permit"></Rule></Policy> ♂ gUxacmlStatus☺ ☺ ♥3 E☻♫ ƒ♫wlsXmlFragment☺ ( ☺A÷<WLSPolicyInfo wlstwmodifiersName☺lo$☻D§cn=admin☻ywlcn=urn@Lbea@Lxacml@L2.0@Lentitlement@Lresource@Ltype@AE@AFurl@AG@AM@AOapplication@AEconsoleapp@AM@AOcontextPath@AE@AUconsole@AM@AOuri@AE@AU@AK+xacmlVersion=1.0,ou=Polv"xacmlDocument☺th♠OiH~'<?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" PolicyId="urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U@K" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"><Description>Rol(Admin,Operator,Deployer,Monitor)</Description><Target><Resources><Resource><ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">type=<url>, application=consoleapp, contextPath=/console, uri=/*</AttributeValue><ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/></ResourceMatch></Resource></Resources></Target><Rule RuleId="primary-rule" Effect="Permit"><Condition><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Admin</AttributeValue><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Operator</AttributeValue><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Deployer</AttributeValue><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Monitor</AttributeValue></Apply><SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string"/></Apply></Condition></Rule><Rule RuleId="deny-rule" Effect="Deny"></Rule></Policy> ♂ gUxacmlStatus☺ ☺ ♥3 E☻♫ ƒ♫wlsXmlFragment☺A÷<WLSPolicytwmodifiersName☺nf$☻D§cn=Admin☻ +cn=urn@Lbea@Lxacml@L2.0@Lentitlement@Lresource@Ltype@AE@AFurl@AG@AM@AOapplication@AEconsoleapp@AM@AOcontextPath@AE@AUconsole@AM@AOuri@AE@AUimages@AU@AK+xacmlVersion=1v"xacmlDocument☺u=♥AC)¿k<?xml version="1.0" encoding="UTF-8"?>♥_☻ <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" PolicyId="urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@Uimages@U@K" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"><Description>?weblogic.entitlement.rules.UncheckedPolicy()</Description><Target><Resources><Resource><ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">type=<url>, application=consoleapp, contextPath=/console, uri=/images/*</AttributeValue><ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/></ResourceMatch></Resource></Resources></Target><Rule RuleId="unchecked-policy" Effect="Permit"></Rule></Policy> ♂ gUxacmlStatus☺ ☺ ♥3 E☻♫ ƒ♫wlsXmlFragment☺ ( ☺A÷<WLSPolicyInfo wlstwmodifiersName☺lo$☻D§cn=Admin☻yw+UCre<▼modifyTimeStamp☺eploy +☻ <▼modifyTimeStamp☺ cn=urn@Lbea@Lxacml@L2.0@Lentitlement@Lresource@Ltype@AE@AFurl@AG@AM@AOapplication@AEconsoleapp@AM@AOcontextPath@AE@AUconsole@AM@AOuri@AE@AU@AK+xacmlVersion=1.0,ou=Policies,ou=XACMLAuthorization,ou=myreav"xacmlDocument☺ ♠♠O H~'<?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" PolicyId="urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U@K" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"><Description>Rol(Admin,Operator,Deployer,Monitor)</Description><Target><Resources><Resource><ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">type=<url>, application=consoleapp, contextPath=/console, uri=/*</AttributeValue><ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/></ResourceMatch></Resource></Resources></Target><Rule RuleId="primary-rule" Effect="Permit"><Condition><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Admin</AttributeValue><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Operator</AttributeValue><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Deployer</AttributeValue><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Monitor</AttributeValue></Apply><SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string"/></Apply></Condition></Rule><Rule RuleId="deny-rule" Effect="Deny"></Rule></Policy> ♂ gUxacmlStatus☺ ☺ ♥3 E☻♫ ƒ♫wlsXmlFragment☺A÷<WLSPolicytwmodifiersName☺nf$☻D§cn=Admin☻ +â♫ <▼modifyTimeStamp☺ ♠ 7Ödeploy +☻ <▼modifyTimeStamp☺ cn=urn@Lbea@Lxacml@L2.0@Lentitlement@Lresource@Ltype@AE@AFurl@AG@AM@AOapplication@AEconsoleapp@AM@AOcontextPath@AE@AUconsole@AM@AOuri@AE@AUimages@AU@AK+xacmlVersion=1.0,ou=Policies,ou=XACMLAuthorizationv"xacmlDocument☺l_♥Ar)¿k<?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" PolicyId="urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@Uimages@U@K" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"><Description>?weblogic.entitlement.rules.UncheckedPolicy()</Description><Target><Resources><Resource><ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">type=<url>, application=consoleapp, contextPath=/console, uri=/images/*</AttributeValue><ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/></ResourceMatch></Resource></Resources></Target><Rule RuleId="unchecked-policy" Effect="Permit"></Rule></Policy> ♂ gUxacmlStatus☺ ☺ ♥3 E☻♫ ƒ♫wlsXmlFragment☺ ( ☺A÷<WLSPolicyInfo wlstwmodifiersName☺lo$☻D§cn=Admin☻yw+U♀cn=urn@Lbea@Lxacml@L2.0@Lentitlement@Lresource@Ltype@AE@AFurl@AG@AM@AOapplication@AEconsoleapp@AM@AOcontextPath@AE@AUconsole@AM@AOuri@AE@AU@AK+xacmlVersion=1.0,ou=Pv"xacmlDocument☺Au♠OoH~'<?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" PolicyId="urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U@K" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"><Description>Rol(Admin,Operator,Deployer,Monitor)</Description><Target><Resources><Resource><ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">type=<url>, application=consoleapp, contextPath=/console, uri=/*</AttributeValue><ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/></ResourceMatch></Resource></Resources></Target><Rule RuleId="primary-rule" Effect="Permit"><Condition><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Admin</AttributeValue><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Operator</AttributeValue><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Deployer</AttributeValue><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Monitor</AttributeValue></Apply><SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string"/></Apply></Condition></Rule><Rule RuleId="deny-rule" Effect="Deny"></Rule></Policy> ♂ gUxacmlStatus☺ ☺ ♥3 E☻♫ ƒ♫wlsXmlFragment☺A÷<WLSPolicytwmodifiersName☺nf$☻D§cn=Admin☻ +â♀cn=urn@Lbea@Lxacml@L2.0@Lentitlement@Lresource@Ltype@AE@AFurl@AG@AM@AOapplication@AEconsoleapp@AM@AOcontextPath@AE@AUconsole@AM@AOuri@AE@AUimages@AU@AK+xacmlVersionv"xacmlDocument☺,o♥AX)¿k<?xml version="1.0" encoding="UTF-8"?> ♥_☻
I assume this is a kind of binary/XML logger.
You can stop your server, delete this file (and another: changelog.index) and restart the server. The files will be created again.
java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[myRole]
Short stacktrace:
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'myJmsTemplate' (...) Invocation of init method failed; nested exception is java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[myRole]
Complete stacktrace
(copy paste in a text editor if the complete stack is not displayed in your browser):
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'myJmsTemplate' defined in URL [zip:C:/workarea/development/servers/wl_server/servers/XXXX/tmp/_WL_user/XXXXXXXXXXXX-ear/7gtxm8/XXXXXXXX-services-ejb.jar!/com/XXXXX/businessApplicationContext-XXXXXXXX.xml]: Cannot resolve reference to bean 'myJmsQueueConnectionFactory' while setting bean property 'connectionFactory'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'myJmsQueueConnectionFactory' defined in URL [zip:C:/workarea/development/servers/wl_server/servers/ejbtier/tmp/_WL_user/XXXXXX-ear/7gtxm8/XXXXXXXX.jar!/com/bnpparibas/primeweb/businessApplicationContextXXXXXXXXXXXX.xml]: Invocation of init method failed; nested exception is java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[myRole] at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:275) at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:104) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1245) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1010) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:472) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380) at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264) at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:221) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164) at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:881) (...) |
The issue appears when I try to deploy an EJB sending JMS messages from my Weblogic server, to another one, in another domain.
Fix:
- I have not fixed the issue myself, I gave pieces of advice to the teams in charge of solving them. But I assume following guidelines are OK.
- Indeed there are two issues: one on credentials and another on servers
- Servers need trust each other. More information is available here. I assume trust is granted thanks to the use of certificates.
- On another hand, credentials from my server, it is to say here “
myRole” must be accepted by distant Ldap juridiction. I assume that distant EJB environment must something like:distantEnvironment.put(InitialContext.SECURITY_PRINCIPAL, "myRole");
Now it should work!
LDIFReader: modify record not ends with ‘-‘ in the record starting on line
Error:
Error: LDAPLocalException: com.novell.ldap.ldif_dsml.LDIFReader: modify record not ends with '-' in the record starting on line 38 of the file. (82) Local Error
Fix:
- go to the line hinted in the error (here:
38) - get the block of the entry which is modified, for instance:
dn: cn=foo,ou=OUfoos,ou=Groups, dc=DCfoos
changetype: modify
add: uniqueMember
uniqueMember: cn=myFoo, ou=OUfoos, ou=Groups, dc=DCfoos
- then add a character
'-'at the end of this block, you get:
dn: cn=foo,ou=OUfoos,ou=Groups, dc=DCfoos
changetype: modify
add: uniqueMember
uniqueMember: cn=myFoo, ou=OUfoos, ou=Groups, dc=DCfoos
-
com.novell.ldap.ldif_dsml.LDIFReader: Version line must be the first meaningful line
Error:
LDAPLocalException: com.novell.ldap.ldif_dsml.LDIFReader: Version line must be the first meaningful line(on line 1 of the file) (82) Local Error
Fix: add this line at the bottom of your Ldif file:
version: 1