LDAP Cache Doesn't Store Misses #20889
Description
The LDAP query cache does not store instances where an object that was looked up is not present in the remote directory. This means that in the case where a SID or sAMAccountName is looked up, if it doesn't exist, the target server will be contacted again and again. This can lead to queries and thus module runs being quite slow.
Steps to reproduce
- Use AD CS as an example, have a target domain controller setup with AD CS
- Create a temporary account
- Setup a certificate template to be vulnerable to one of the ESC flags
- Add the temporary account to the certificate template with permissions
- Delete the temporary account
- Run the
ldap_esc_vulnerable_cert_findermodule - See that there are repeated queries to the target DC for the missing account
Were you following a specific guide/tutorial or reading documentation?
Expected behavior
The cache should have some kind of sentinel value to indicate the object doesn't exist in the target and return nil without contacting the server. Since the cache allows lookup up objects by multiple IDs, (DN, sAMAccountName, SID), it will probably need to store a missing indicator for each since it can't know the other ID field for the missing object.
Current behavior
Repeated lookups for missing objects result in repeatedly querying the target.