vSOC SPOT Report: MS Exchange Privilege Escalation Attack
Posted by: GuidePoint Security
Overview
On January 24, 2019, security researcher Dirk-jan Mollema, of Fox-IT in the Netherlands, published proof-of-concept code and published an explanation of an attack on Microsoft Exchange on his blog.
Mollema explains that the attack can be performed on Exchange, which appears to be vulnerable to a privilege escalation attack allowing any user to become a Domain Administrator through API calls.
Technical Overview
According to Mollema the issue resides in that Exchange has high privileges by default in Active Directory. Due to the high privileges that Exchange has by default, Mollema was able to build proof-of-concept code that shows the Exchange Windows Permissions having WriteDaCl access allowing users to modify the domain privileges that could allow them synchronize hashed passwords of Active Directory through a Domain Controller Operation. Once an attacker has access to these hashed passwords, they are then able to impersonate users and authenticate to any service utilizing NTLM or Kerberos in the domain.
The attack itself has been built into two Python scripts, privexchange.py and ntlmrelayx.py available on Mollema’s GitHub page. To start the attack, an individual would start the ntlmrelayx script in relay mode with LDAP on a Domain Controller and would need to supply a user data, under the control of the attacker, to escalate privileges. Once the attacker is able to connect to the Domain Controller, they would then run the privexchange script against a user who has a mailbox associated with them. If they run it against a user without a mailbox, the attack fails. The attacker can simply try again until he or she gets successful authentication.
Once the attacker receives an “API call was successful” message, the script would wait a specified amount of time before sending across connection notifications to ntlmrelayx, giving the attacker DCSync privileges. Upon gaining this level of access, an attacker could then dump password hashes or other information and use it in order to gain further footholds into the organization.
This attack has been fully verified on Windows 2016 DC, and Exchange 2016 (CU11), and relayed to a Server 2019 DC.
Potential Impact
A user with a mailbox could potentially obtain Domain Administrator rights, exposing the entire network to third party attacks or allow an attacker to dump out password hashes and create golden tickets in order to impersonate any user to gain access through NTLM or Kerberos authentication on the domain.
What You Should Do
Mollema recommends the following best practices to help safeguard networks against this threat until a patch is released:
- Reduce Exchange privileges on the Domain object
- Enable LDAP signing and channel binding
- Block Exchange servers from connecting to arbitrary ports
- Enable Extended Protection for Authentication on Exchange endpoints in IIS
- Remove the registry key that allows relaying; and enforcing SMB signing
Microsoft released the following statement regarding Mollema’s findings:
“Microsoft has a strong commitment to security and a demonstrated track record of investigating and proactively updating impacted devices as soon as possible,” a Microsoft spokesperson said. “Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month.”
It is believed Microsoft will issue a patch for this in the February 2019 Patch Tuesday updates.
GuidePoint’s vSOC will provide additional information as it is made public.
Supporting Information
- http://www.freerepublic.com/focus/f-chat/3722731/posts
- https://technewstube.com/the-register/1073824/youre-an-admin-youre-an-admin-youre-all-admins-thanks-to-this-microsoft-exchange-zero-day-and-/
- https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
Contributing Authors
Kate Boucher, vSOC Program Manager
Sam Harris, vSOC Practice Lead
GuidePoint Security