In the following C# example I'm querying AD's configuration container for Exchange overrides. If the domain name in unsanitised the end user could get LDAP to read a different object then intended.
I'm not sure if other actions other than read are possible.
static string GetExchangeDomain(string targetDomain)
{
string retFoundDomain = "";
string remoteDomainLocation = "CN=Microsoft Exchange,CN=Services,";
string filter = string.Format("(domainName={0})", targetDomain);
string[] props = new string[] { "targetAddress", "description" };
using (DirectoryEntry rootDSE = new DirectoryEntry("LDAP://RootDSE"))
{
string serverName = rootDSE.Properties["dnsHostName"].Value as string;
string domainContext = rootDSE.Properties["configurationNamingContext"].Value as string;
using (DirectoryEntry exchOrgDE = new DirectoryEntry("LDAP://" + serverName + "/" + remoteDomainLocation + domainContext))
{
foreach (DirectoryEntry item in exchOrgDE.Children)
{
string orgName = item.Name;
if (item.Properties["objectCategory"][0].ToString().StartsWith("CN=ms-Exch-Organization-Container"))
{
using (DirectoryEntry exchangeRemoteDomains = new DirectoryEntry("LDAP://" + serverName + "/CN=Internet Message Formats,CN=Global Settings," + orgName + "," + remoteDomainLocation + domainContext))
{
using (DirectorySearcher searcher = new DirectorySearcher(exchangeRemoteDomains, filter, new string[] { "cn", "domainName" }))
{
searcher.ReferralChasing = ReferralChasingOption.All;
SearchResult result = searcher.FindOne();
if (result != null)
{
retFoundDomain = result.Properties["cn"][0].ToString().TrimEnd(("." + targetDomain).ToCharArray());
}
}
}
}
item.Dispose(); // not sure if this is required...
}
}
}
return retFoundDomain;
}
Question
Are there any examples or tools that test for LDAP injection?
What is the correct way to sanitize the input for an LDAP query?