A security researcher has disclosed details of a zero-day vulnerability in the Microsoft Exchange mail server. They claim this vulnerability could be exploited by a user with access to an Exchange mailbox to obtain domain administration privileges.
The vulnerability is a result of three separate components which, when combined together, can result in full domain access:
- High Default Exchange Permissions – By default, Exchange servers have high permissions on the Active Directory (AD) domain. Users within the ExchangeWindowsPermissions group are able to modify the domain privileges, among which is the privilege to synchronise the hashed passwords of all AD users. Access to these passwords could allow a threat actor to impersonate any other user and authenticate to any services using NT LAN Manager (NTLM) or Kerberos authentication.
- NTLM Authentication Relay Attacks – The NTLM protocol itself is vulnerable to relay attacks, a form of attack where a threat actor relays messages between two or more unaware parties, over SMB and LDAP. A threat actor could use this to intercept the authentication negotiations between a legitimate user and the server, authenticating themselves in place of the user.
- Exchange Automatic Authentication – Exchange includes a feature called PushSubscription that can be forced to automatically authenticate to an arbitrary URL over HTTP using NTLM authentication hashes. A threat actor can exploit this to impersonate any other Exchange user.
By adapting known exploits for these components, the researcher discovered that a threat actor could force an Exchange server to provide them with another authenticated user’s NTLM credentials, which can then be used to perform a relay attack on the underlying AD domain controller, granting themselves escalated Exchange privileges in the process. They can then use these privileges to perform a hashed password synchronisation in order to impersonate any user on the AD domain.
The Register spoke to Microsoft about this issue and they said “Microsoft has a strong commitment to security and a demonstrated track record of investigating and proactively updating impacted devices as soon as possible,” a Microsoft spokesperson said. “Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month”
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.