## https://sploitus.com/exploit?id=55A8A302-B850-536E-BA93-897D6CF1D9EB
# CVE-2024-49113 โ Windows LDAP DoS Vulnerability PoC
> **Author:** SafeBreach
> **Status:** Patched (Microsoft, December 2024 Patch Tuesday)
> **CVSSv3 Score:** 7.5 (High)
----------------------------------------------------------------
# Bypass Windows Server and commercial EDR
> **Author:** Tim Shing
> **Status:** Unpatched
> **CVSSv3 Score:** 7.4 (High)
---
## โ ๏ธ Disclaimer
This repository is for **educational and authorised security research purposes only**.
Do not use this against any system without **explicit written permission** from the system owner.
The author accepts no responsibility for misuse of this code.
---
## Vulnerability Overview
| Field | Detail |
|-------|--------|
| CVE ID | CVE-2024-49113 |
| Affected Component | Windows Lightweight Directory Access Protocol (LDAP) |
| Vulnerability Type | Denial of Service (DoS) |
| Attack Vector | Network (unauthenticated) |
| Affected Systems | Windows Server 2019, 2022; Windows 10/11 (unpatched) |
| Patch Available | Yes โ KB5048239 (December 2024) |
--------------------------------------------------------
## Vulnerability Overview
| Field |Detail |
|---------------|
| Reported to MSRC| |
|Affected Component| Windows server 2019/Windows cliecnt 10,11 |
| Vulnerability Type | Remote Code Execution (DoS) |
| Attack Vector | Network (unauthenticated) |
| Affected Systems | Windows Server 2019, 2022; Windows 10/11 (unpatched) |
| Patch Available | NO |
### Root Cause
Unpatched Windows systems expose LDAP on **port 389 without encryption**, allowing a remote attacker to trigger a crash via a malformed LDAP request, resulting in system shutdown or restart (DoS).
---
## Discovery & Research Process
This vulnerability was investigated as part of my Final Year Project on automated vulnerability scanning and exploit development.
**Methodology:**
1. Automated network scanning with **Nmap** to identify hosts with port 389 open
2. Vulnerability validation using **Nessus** (plugin for LDAP exposure)
3. Reproduction of DoS condition in an isolated lab environment (Windows Server 2022 VM)
4. Documentation of attack vector, impact, and remediation
---
## Repository Contents
```
โโโ scanner/
โ โโโ nmap_ldap_scan.sh # Nmap script to identify exposed LDAP hosts
โ โโโ nessus_policy_notes.md # Nessus scan policy used
โโโ exploit/
โ โโโ cve_2024_49113_poc.py # PoC โ lab use only
โโโ report/
โ โโโ vulnerability_report.md # Sample risk report (ISO 27001 aligned)
โโโ README.md
```
---
## Remediation (Defence Perspective)
This is the most important part โ knowing how to fix it:
1. **Apply Microsoft patch KB5048239** immediately (December 2024 Patch Tuesday)
2. **Block port 389 (unencrypted LDAP)** at firewall level; enforce LDAPS (port 636) only
3. **Disable legacy LDAP** via Group Policy: `Network security: LDAP client signing requirements โ Require signing`
4. **Monitor for anomalous LDAP traffic** using SIEM rules targeting high-volume port 389 connections
5. **Risk treatment** (ISO 27001 Annex A):
- A.8.8 โ Management of technical vulnerabilities
- A.8.20 โ Networks security controls
---
## Lab Environment
All testing was conducted in an **isolated, offline virtual lab**:
- VMware Workstation (host-only network)
- Windows Server 2022 (unpatched, intentionally vulnerable target)
- Kali Linux (attacker machine)
No production or third-party systems were involved.
---
## References
- [Microsoft Security Advisory โ CVE-2024-49113](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49113)
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2024-49113)
- NIST SP 800-115 โ Technical Guide to Information Security Testing
- ISO/IEC 27001:2022 Annex A Controls
---
## Contact
**Tim Shing**
๐ง aae12518@gmail.com
๐ [LinkedIn](https://linkedin.com/in/timshing)
๐ Hong Kong