Share
## https://sploitus.com/exploit?id=55A8A302-B850-536E-BA93-897D6CF1D9EB
# CVE-2024-49113 โ€” Windows LDAP DoS Vulnerability PoC

> **Author:** SafeBreach 
> **Status:** Patched (Microsoft, December 2024 Patch Tuesday)  
> **CVSSv3 Score:** 7.5 (High)
----------------------------------------------------------------
# Bypass Windows Server and commercial   EDR
> **Author:** Tim Shing 
> **Status:** Unpatched 
> **CVSSv3 Score:** 7.4 (High)

---

## โš ๏ธ Disclaimer

This repository is for **educational and authorised security research purposes only**.  
Do not use this against any system without **explicit written permission** from the system owner.  
The author accepts no responsibility for misuse of this code.

---

## Vulnerability Overview

| Field | Detail |
|-------|--------|
| CVE ID | CVE-2024-49113 |
| Affected Component | Windows Lightweight Directory Access Protocol (LDAP) |
| Vulnerability Type | Denial of Service (DoS) |
| Attack Vector | Network (unauthenticated) |
| Affected Systems | Windows Server 2019, 2022; Windows 10/11 (unpatched) |
| Patch Available | Yes โ€” KB5048239 (December 2024) |

--------------------------------------------------------
## Vulnerability Overview

| Field 	|Detail 	|
|---------------|
| Reported to MSRC| 			   | 	
|Affected Component| Windows server 2019/Windows cliecnt 10,11 |
| Vulnerability Type | Remote Code Execution (DoS) |
| Attack Vector | Network (unauthenticated) |
| Affected Systems | Windows Server 2019, 2022; Windows 10/11 (unpatched) |
| Patch Available | NO |

### Root Cause
Unpatched Windows systems expose LDAP on **port 389 without encryption**, allowing a remote attacker to trigger a crash via a malformed LDAP request, resulting in system shutdown or restart (DoS).

---

## Discovery & Research Process

This vulnerability was investigated as part of my Final Year Project on automated vulnerability scanning and exploit development.

**Methodology:**
1. Automated network scanning with **Nmap** to identify hosts with port 389 open
2. Vulnerability validation using **Nessus** (plugin for LDAP exposure)
3. Reproduction of DoS condition in an isolated lab environment (Windows Server 2022 VM)
4. Documentation of attack vector, impact, and remediation

---

## Repository Contents

```
โ”œโ”€โ”€ scanner/
โ”‚   โ”œโ”€โ”€ nmap_ldap_scan.sh       # Nmap script to identify exposed LDAP hosts
โ”‚   โ””โ”€โ”€ nessus_policy_notes.md  # Nessus scan policy used
โ”œโ”€โ”€ exploit/
โ”‚   โ””โ”€โ”€ cve_2024_49113_poc.py   # PoC โ€” lab use only
โ”œโ”€โ”€ report/
โ”‚   โ””โ”€โ”€ vulnerability_report.md # Sample risk report (ISO 27001 aligned)
โ””โ”€โ”€ README.md
```

---

## Remediation (Defence Perspective)

This is the most important part โ€” knowing how to fix it:

1. **Apply Microsoft patch KB5048239** immediately (December 2024 Patch Tuesday)
2. **Block port 389 (unencrypted LDAP)** at firewall level; enforce LDAPS (port 636) only
3. **Disable legacy LDAP** via Group Policy: `Network security: LDAP client signing requirements โ†’ Require signing`
4. **Monitor for anomalous LDAP traffic** using SIEM rules targeting high-volume port 389 connections
5. **Risk treatment** (ISO 27001 Annex A):
   - A.8.8 โ€” Management of technical vulnerabilities
   - A.8.20 โ€” Networks security controls

---

## Lab Environment

All testing was conducted in an **isolated, offline virtual lab**:
- VMware Workstation (host-only network)
- Windows Server 2022 (unpatched, intentionally vulnerable target)
- Kali Linux (attacker machine)

No production or third-party systems were involved.

---

## References

- [Microsoft Security Advisory โ€” CVE-2024-49113](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49113)
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2024-49113)
- NIST SP 800-115 โ€” Technical Guide to Information Security Testing
- ISO/IEC 27001:2022 Annex A Controls

---

## Contact

**Tim Shing**  
๐Ÿ“ง aae12518@gmail.com  
๐Ÿ”— [LinkedIn](https://linkedin.com/in/timshing)  
๐Ÿ“ Hong Kong