05 JANUARY 2019
Microsoft Exchange Vulnerability Could Allow for Privilege Escalation
Thanks to a Microsoft Exchange vulnerability anyone with access to your mailbox could raise their rights and become a Domain Administrator.
A Microsoft Exchange vulnerability has been discovered, providing anyone with access to an Exchange mailbox the opportunity to elevate their privileges to become a Domain Administration.
Exposed by researcher, Dirk-jan Mollema of Fox-IT, one of the main problems is due to the fact that, ‘Exchange servers have such high privileges that being an Administrator on an Exchange server is enough to escalate to Domain Admin’.
With the likelihood of exploit success, rated ‘very high’ according to Infrastructure Analyst, Chris Libby, the aftermath of an attack could be devastating. If the vulnerability is exploited, it could permit the attacker to carry out a series of malicious activities including the ability to bypass normal authentication or encryption in a computer system and attempt to impersonate any other user of the Exchange server.
Microsoft claim that to exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.
According to the Dirk-jan, the vulnerability isn’t one single flaw, but a combination of three components.
The three main issues discovered were:
Exchange Web Services (EWS)
Microsoft Exchange supports an API called EWS, which makes it authenticate to an attacker with the computer account of the Exchange server.
NTLM authentication’s vulnerability to relay attacks
The authentication is done using NTLM hashes sent via HTTP, and the Exchange server also fails to set signing and sealing flags on NTLM authentication traffic, which in turn makes this authentication attempt vulnerable to NTLM relay attacks.
Microsoft’s Exchange Servers
Microsoft’s Exchange Servers are installed with high privileges by default in the Active Directory domain, which allows anyone within this group to change the domain privileges, including the privilege to perform DCSync operations.
Dirk-jan has also released a proof-of-concept code, dubbed PrivExchange, evidencing how the attack operates.