Microsoft Exchange 2013 and newer versions allow an attacker to escalate privileges when performing a NT LAN Manager (NTLM) relay attack, a security researcher warns.
According to Dirk-jan Mollema, who discovered the vulnerability, the attack is in fact a combination of multiple known flaws and could be exploited by any user with a mailbox to escalate privileges to Domain Admin access.
The first issue is that, in organizations using Active Directory and Exchange, Exchange servers have high-enough privileges to allow an admin on the Exchange server to escalate to Domain Admin. With NTLM authentication vulnerable to relay attacks, one can get Exchange to authenticate to an arbitrary URL over HTTP via the PushSubscription feature, the researcher says.
“Connections made using the PushSubscription feature will attempt to negotiate with the arbitrary web server using NTLM authentication. Starting with Microsoft Exchange 2013, the NTLM authentication over HTTP fails to set the NTLM Sign and Seal flags. The lack of signing makes this authentication attempt vulnerable to NTLM relay attacks,” a CERT/CC vulnerability note reads.
The ability to force Exchange to authenticate via the PushSubscription feature was initially discovered by researchers with ZDI, who used it to perform a reflection attack (they relayed the NTLM authentication back to Exchange).
Mollema, however, discovered that this could be combined with the high privileges in Exchange to perform a relay attack and gain DCSync rights. An option in the push notification service makes it possible to send a message every X minutes, and the attack ensures that Exchange connects even when there is no activity in an inbox.
“Microsoft Exchange is by default configured with extensive privileges with respect to the Domain object in Active Directory. Because the Exchange Windows Permissions group has WriteDacl access to the Domain object, this means that the Exchange server privileges obtained using this vulnerability can be used to gain Domain Admin privileges for the domain that contains the vulnerable Exchange server,” CERT/CC explains.
Mollema also reveals that the attack can be performed using compromised credentials, but that an actor in a position to perform a network attack could trigger Exchange to authenticate even if they don’t have credentials.
Some of the mitigations organizations could apply include removing unnecessary high privileges that Exchange has on the Domain object, enabling LDAP signing and enable LDAP channel binding to prevent relaying to LDAP and LDAPS respectively, and blocking Exchange servers from making connections to workstations on arbitrary ports.
The CERT/CC also notes that, while it isn’t aware of a practical solution to this problem, a workaround developed by a third party does exist, and that impacted organizations should consider applying the mitigations proposed by Mollema.