Land rapid7#19267, Escape LDAP query string filters

adfoster-r7 · web-flow · commit 2e51b37f1cf6 · 2024-06-20T10:42:19.000+01:00
diff --git a/lib/msf/core/exploit/remote/ldap.rb b/lib/msf/core/exploit/remote/ldap.rb
@@ -309,5 +309,14 @@ def validate_query_result!(query_result, filter=nil)
         end
       end
     end
+
+    # Return a string suitable for placement in an LDAP filter
+    # e.g. (certificateTemplates=#{ldap_escape_string(name)})
+    #
+    # @param string String The string to escape.
+    # @return The escaped string.
+    def ldap_escape_filter(string)
+      Net::LDAP::Filter.escape(string)
+    end
   end
 end
diff --git a/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb b/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb
@@ -178,7 +178,7 @@ def query_ldap_server_certificates(esc_raw_filter, esc_name)
   def convert_sids_to_human_readable_name(sids_array)
     output = []
     for sid in sids_array
-      raw_filter = "(objectSID=#{sid})"
+      raw_filter = "(objectSID=#{ldap_escape_filter(sid.to_s)})"
       attributes = ['sAMAccountName', 'name']
       base_prefix = 'CN=Configuration'
       sid_entry = query_ldap_server(raw_filter, attributes, base_prefix: base_prefix) # First try with prefix to find entries that may be group specific.
@@ -344,7 +344,7 @@ def find_enrollable_vuln_certificate_templates
     # have permissions to enroll in certificates on each server.
 
     @vuln_certificate_details.each_key do |certificate_template|
-      certificate_enrollment_raw_filter = "(&(objectClass=pKIEnrollmentService)(certificateTemplates=#{certificate_template}))"
+      certificate_enrollment_raw_filter = "(&(objectClass=pKIEnrollmentService)(certificateTemplates=#{ldap_escape_filter(certificate_template.to_s)}))"
       attributes = ['cn', 'dnsHostname', 'ntsecuritydescriptor']
       base_prefix = 'CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration'
       enrollment_ca_data = query_ldap_server(certificate_enrollment_raw_filter, attributes, base_prefix: base_prefix)
@@ -418,7 +418,7 @@ def get_pki_object_by_oid(oid)
 
     if pki_object.nil?
       pki_object = query_ldap_server(
-        "(&(objectClass=msPKI-Enterprise-Oid)(msPKI-Cert-Template-OID=#{oid}))",
+        "(&(objectClass=msPKI-Enterprise-Oid)(msPKI-Cert-Template-OID=#{ldap_escape_filter(oid.to_s)}))",
         nil,
         base_prefix: 'CN=OID,CN=Public Key Services,CN=Services,CN=Configuration'
       )&.first
diff --git a/spec/lib/msf/core/exploit/remote/ldap_spec.rb b/spec/lib/msf/core/exploit/remote/ldap_spec.rb
@@ -90,6 +90,16 @@
     end
   end
 
+  describe '#ldap_escape_filter' do
+    let(:string) do
+      'John Doe (Developer) *'
+    end
+
+    it do
+      expect(subject.ldap_escape_filter(string)).to eq("John Doe \\28Developer\\29 \\2A")
+    end
+  end
+
   describe '#resolve_connect_opts' do
     let(:cred) do
       'I am a cred'
