LDAP Injection in ForgeRock OpenAM: Exploiting CVE-2021-29156
Posted by: Charlton Trezevant
Published 12/14/21, 9:00am
Today, GuidePoint Security is pleased to release a functional Proof-of-Concept tool for CVE-2021-29156, an LDAP injection vulnerability in ForgeRock OpenAM v13.0.0.
This vulnerability allows an attacker to extract a variety of information (such as a user’s password hash) from vulnerable OpenAM servers using a character-by-character brute force attack.
https://github.com/guidepointsecurity/CVE-2021-29156
By default, this tool is configured to extract the password hash of the amAdmin user. Further adjustments may be made to the LDAP injection payloads if exfiltration of other data from the OpenAM instance is desired.
To use this tool, simply adjust the baseURL, proxy, and user variables and run the script. After some time, the complete exfiltrated password hash of the amAdmin user will be displayed in the console.
For a more in-depth look at this vulnerability, PortSwigger has an excellent writeup of the exploit itself and its theory of operation.
Charlton Trezevant
Application Security Consultant,
GuidePoint Security
Charlton Trezevant, Application Security Consultant at GuidePoint Security, is a software developer and security consultant residing in St. Petersburg, Florida. Since 2015, Charlton has drawn from years of experience in multiple technical domains, using his skills to great effect as a security professional, mentor, researcher, and award-winning participant in national cybersecurity competitions.
Charlton has led and participated in vulnerability assessments, consultation, and penetration testing for industries including higher education, entertainment, finance, and technology. His experience includes application and network penetration testing, security auditing, threat modeling, social engineering, network architecture, software development, and curriculum design.