<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Maddy - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/maddy/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 14:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/maddy/feed.xml" rel="self" type="application/rss+xml"/><item><title>Maddy Mail Server LDAP Filter Injection Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-maddy-ldap-injection/</link><pubDate>Wed, 03 Jan 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-maddy-ldap-injection/</guid><description>Maddy Mail Server is vulnerable to LDAP injection via unsanitized username in the `auth.ldap` module, enabling identity spoofing, LDAP directory enumeration, and attribute value extraction by injecting arbitrary LDAP filter expressions through the username field in SMTP submission or IMAP LOGIN interfaces.</description><content:encoded><![CDATA[<p>Maddy is vulnerable to LDAP injection due to the <code>auth.ldap</code> module constructing LDAP search filters and DN strings by directly interpolating user-supplied usernames without proper escaping. This vulnerability, present in versions prior to 0.9.3, allows an attacker to inject arbitrary LDAP filter expressions through the username field of the SMTP submission (AUTH PLAIN) or IMAP LOGIN interfaces. Specifically, the <code>strings.ReplaceAll()</code> function is used to insert the username into LDAP queries without sanitization. Successful exploitation enables identity spoofing, LDAP directory enumeration, and attribute value extraction. The vulnerable code is located in <code>internal/auth/ldap/ldap.go</code> within the <code>Lookup()</code> and <code>AuthPlain()</code> functions. This vulnerability is identified as CVE-2026-40193.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a Maddy instance configured to use LDAP authentication with the <code>auth.ldap</code> module and either the <code>filter</code> or <code>dn_template</code> directive enabled.</li>
<li>The attacker connects to the Maddy instance's SMTP submission port (587) or IMAP port (993/143).</li>
<li>The attacker initiates the authentication process (AUTH PLAIN for SMTP, LOGIN for IMAP).</li>
<li>The attacker crafts a malicious username containing LDAP injection payloads (e.g., <code>user)(attribute=value*)</code>) to bypass authentication or extract information.</li>
<li>The crafted username is passed to the vulnerable <code>strings.ReplaceAll()</code> function in <code>internal/auth/ldap/ldap.go</code> without proper sanitization.</li>
<li>The unsanitized username is incorporated into an LDAP query or DN string, modifying the query's behavior.</li>
<li>If the injected filter allows, the attacker successfully authenticates as another user or extracts sensitive information via boolean-based blind injection.</li>
<li>The attacker leverages successful LDAP injection to spoof identities, enumerate the LDAP directory, or exfiltrate user attributes.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability can lead to significant consequences. Attackers can spoof identities and potentially gain unauthorized access to resources. LDAP directory enumeration allows attackers to discover sensitive information about users and the directory structure. The ability to extract attribute values, including password hashes, further compromises the security of the system. All maddy deployments using the <code>auth.ldap</code> module with the <code>filter</code> or <code>dn_template</code> directive are vulnerable, affecting both SMTP submission and IMAP authentication. This issue is tracked as CVE-2026-40193 and has a high severity rating.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to Maddy version 0.9.3 or later to patch the vulnerability described in GHSA-5835-4gvc-32pc.</li>
<li>Deploy the Sigma rule &quot;Detect Maddy LDAP Injection Attempt via SMTP AUTH&quot; to identify attempted exploitation via SMTP AUTH PLAIN.</li>
<li>Enable detailed logging on the Maddy server, specifically capturing the usernames used during SMTP AUTH and IMAP LOGIN attempts, to facilitate investigation of potential LDAP injection attacks.</li>
<li>If upgrading is not immediately feasible, consider disabling the <code>auth.ldap</code> module or implementing input validation to sanitize usernames before they are used in LDAP queries.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ldap-injection</category><category>authentication-bypass</category><category>information-disclosure</category><category>maddy</category><category>smtp</category><category>imap</category></item></channel></rss>