Microsoft Exchange appears to be currently vulnerable to a privilege escalation attack that allows any user with a mailbox to become a Domain Admin.
On Thursday, Dirk-jan Mollema, a security researcher with Fox-IT in the Netherlands, published proof-of-concept code and an explanation of the attack, which involves the interplay of three separate issues.
According to Mollema, the primary problem is that Exchange has high privileges by default in the Active Directory domain.
Exchange Windows Permissions group has
WriteDacl access on the Domain object in Active Directory, which enables any member of this group to modify the domain privileges, among which is the privilege to perform DCSync operations," he explained in his post.
This allows an attacker to synchronize the hashed passwords of the Active Directory users through a Domain Controller operation. Access to these hashed passwords allows the attacker to impersonate users and authenticate to any service using NTLM (a Microsoft authentication protocol) or Kerberos authentication within that domain.
Mollema wasn't immediately available to discuss his work due to time zone differences and the need to involve a media handler.
The attack relies on two Python-based tools:
ntlmrelayx.py. It has been tested on Exchange 2013 (CU21) on Windows Server 2012 R2, relayed to (fully patched) Windows Server 2016 DC and Exchange 2016 (CU11) on Windows Server 2016, and relayed to a Server 2019 DC, again fully patched.
Using NTLM, Mollema said it's possible to transfer automatic Windows authentication, which occurs upon connection to the attacker's machine, to other machines on the network.
Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing)READ MORE
How then to get Exchange to authenticate the attacker? Mollema pointed to a ZDI researcher who found a way to obtain Exchange authentication using an arbitrary URL over HTTP through the Exchange
PushSubscription API using a reflection attack.
If this technique is instead used to perform a relay attack against LDAP, taking advantage of Exchange's high default privileges, it's possible to for the attacker to obtain DCSync rights.
Mollema described several potential mitigations for the attack in his post. These include: reducing Exchange privileges on the Domain object; enabling LDAP signing and channel binding; blocking Exchange servers from connecting to arbitrary ports; enabling Extended Protection for Authentication on Exchange endpoints in IIS; removing the registry key that allows relaying; and enforcing SMB signing.
In a statement emailed to The Register, Microsoft avoided commenting on the specific vulnerability described by Mollema, but the wording of its coy, content-free reply suggests the company may issue a fix in February.
“Microsoft has a strong commitment to security and a demonstrated track record of investigating and proactively updating impacted devices as soon as possible," a Microsoft spokesperson said. "Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month." ®