The experts described the attack scenario in a blog post and published a proof-of-concept code.
“In most organisations using Active Directory and Exchange, Exchange servers have such high privileges that being an Administrator on an Exchange server is enough to escalate to Domain Admin.” wrote the expert.
“Recently I came across a blog from the ZDI, in which they detail a way to let Exchange authenticate to attackers using NTLM over HTTP. This can be combined with an NTLM relay attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Exchange.”
Mollema pointed out that Microsoft Exchange has high privileges by default in the Active Directory domain. An attacker could synchronize the hashed passwords of the Active Directory users via an ordinary Domain Controller operation, then he can impersonate users and authenticate to any service using NTLM or Kerberos authentication.
“The Exchange Windows Permissions group has WriteDacl access on the Domain object in Active Directory, which enables any member of this group to modify the domain privileges, among which is the privilege to perform DCSync operations,” he added.
The expert chained three issues to escalate from any user with a mailbox to Domain Admin access:
The attack leverages two Python-based tools, the privexchange.py and ntlmrelayx.py. The attack successfully works with Exchange 2013 (CU21) on Windows Server 2012 R2, relayed to (fully patched) Windows Server 2016 DC and Exchange 2016 (CU11) on Windows Server 2016, and relayed to a Server 2019 DC, again fully patched.
Mollema demonstrated that it’s possible to transfer automatic Windows authentication by connecting a machine on the network to a machine under the control of the attacker.
In order to authenticate the attacker to the Exchange, the expert used a method described by ZDI to obtain Exchange authentication using an arbitrary URL over HTTP through the Exchange PushSubscription
API using a reflection attack.
“In their blog post they used this vulnerability to relay the NTLM authentication back to Exchange (this is called a reflection attack) and impersonate other users. If we instead combine this with the high privileges Exchange has by default and perform a relay attack instead of a reflection attack, we can use these privileges to grant ourselves DCSync rights.” continues the analysis.
“The push notification service has an option to send a message every X minutes (where X can be specified by the attacker), even if no event happened. This is something that ensures Exchange will connect to us even if there is no activity in an inbox.”
Mollema also explained that it is possible to carry out a relay attack against LDAP by exploiting the high default privileges granted to
Exchange, an attacker could obtain DCSync rights.
Mollema also detailed potential mitigations for the attack in his post such as:
Microsoft is espected to address the issue in February.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Microsoft Exchange, hacking)
[adrotate banner=”5″] [adrotate banner=”13″]
China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher…
The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack…
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large…
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…
This website uses cookies.