Maddy Mail Server LDAP Injection Vulnerability in Auth Module

A vulnerability allowing LDAP injection has been identified in the Maddy mail server, specifically in versions prior to 0.9.3. The issue arises in the auth.ldap module, where user-supplied usernames are directly inserted into LDAP search filters and DN strings without proper escaping. This flaw allows an attacker with network access to the SMTP submission or IMAP interface to inject arbitrary LDAP filter expressions, leading to identity spoofing, unauthorized LDAP directory enumeration, and extraction of LDAP attribute values through authentication response manipulation.

Impact

Exploitation of this vulnerability allows for LDAP injection, enabling identity spoofing, unauthorized directory enumeration, and extraction of sensitive LDAP attribute values, such as password hashes and other authorization information.

Reproduction

To reproduce this vulnerability, configure a Maddy mail server instance with the auth.ldap module, using a filter directive that incorporates user-supplied usernames. Once the server is running, inject LDAP filter expressions through the username field in AUTH PLAIN or LOGIN commands. This can be done by, for example, authenticating as one user while injecting a username that manipulates the LDAP filter to authenticate as another user.

Remediation

Users are advised to upgrade to Maddy version 0.9.3, which addresses the LDAP injection vulnerability by implementing proper escaping when constructing LDAP filters and DN strings.