Pierluigi Paganini January 25, 2019

The security expert Dirk-jan Mollema with Fox-IT discovered a privilege escalation vulnerability in Microsoft Exchange that could be exploited by a user with a mailbox to become a Domain Admin.

The experts described the attack scenario in a blog post and published a proof-of-concept code.

“In most organisations using Active Directory and Exchange, Exchange servers have such high privileges that being an Administrator on an Exchange server is enough to escalate to Domain Admin.” wrote the expert.

“Recently I came across a blog from the ZDI, in which they detail a way to let Exchange authenticate to attackers using NTLM over HTTP. This can be combined with an NTLM relay attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Exchange.”

Mollema pointed out that Microsoft Exchange has high privileges by default in the Active Directory domain. An attacker could synchronize the hashed passwords of the Active Directory users via an ordinary Domain Controller operation, then he can impersonate users and authenticate to any service using NTLM or Kerberos authentication.

“The Exchange Windows Permissions group has WriteDacl access on the Domain object in Active Directory, which enables any member of this group to modify the domain privileges, among which is the privilege to perform DCSync operations,” he added.

The expert chained three issues to escalate from any user with a mailbox to Domain Admin access:

• Exchange Servers have (too) high privileges by default
• NTLM authentication is vulnerable to relay attacks
• Exchange has a feature which makes it authenticate to an attacker with the computer account of the Exchange server

The attack leverages two Python-based tools, the privexchange.py and ntlmrelayx.py. The attack successfully works with Exchange 2013 (CU21) on Windows Server 2012 R2, relayed to (fully patched) Windows Server 2016 DC and Exchange 2016 (CU11) on Windows Server 2016, and relayed to a Server 2019 DC, again fully patched.

Mollema demonstrated that it’s possible to transfer automatic Windows authentication by connecting a machine on the network to a machine under the control of the attacker.

In order to authenticate the attacker to the Exchange, the expert used a method described by ZDI to obtain Exchange authentication using an arbitrary URL over HTTP through the Exchange PushSubscription API using a reflection attack.

“In their blog post they used this vulnerability to relay the NTLM authentication back to Exchange (this is called a reflection attack) and impersonate other users. If we instead combine this with the high privileges Exchange has by default and perform a relay attack instead of a reflection attack, we can use these privileges to grant ourselves DCSync rights.” continues the analysis.

“The push notification service has an option to send a message every X minutes (where X can be specified by the attacker), even if no event happened. This is something that ensures Exchange will connect to us even if there is no activity in an inbox.”

Mollema also explained that it is possible to carry out a relay attack against LDAP by exploiting the high default privileges granted to
Exchange, an attacker could obtain DCSync rights.

Mollema also detailed potential mitigations for the attack in his post such as:

• reducing Exchange privileges on the Domain object;
• enabling LDAP signing and channel binding;
• blocking Exchange servers from connecting to arbitrary ports;
• enabling Extended Protection for Authentication on Exchange endpoints in IIS;
• removing the registry key that allows relaying;
• enforcing SMB signing.

Microsoft is espected to address the issue in February.

Pierluigi Paganini

(SecurityAffairs – Microsoft Exchange, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]