• Login
  • Let's Talk
  • Login
  • Let's Talk
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Careers
    • Leadership
    • Industries
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Partners
    • Reseller Partners
    • Technology Partners
  • Resources
    • Resource Library
    • News & Events
    • Insider Blog
  • Contact
    • Let's Talk
    • Customer Login
    • Partner Login
  • Linkedin
  • Twitter
01.25.19

Threat Report

MS Exchange Privilege Escalation Attack

By Kate Boucher

Security researcher Dirk-jan Mollema published Exchange 0-day POC code which demonstrates that it’s vulnerable to privilege escalation. There’s no patch, but Mollema has shared 5 mitigation recommendations.

Overview

On January 24, 2019, security researcher Dirk-jan Mollema, of Fox-IT in the Netherlands, published proof-of-concept code and published an explanation of an attack on Microsoft Exchange on his blog. It was assigned CVE-2019-0686.

Mollema explained that the attack can be performed on Exchange, which appears to be vulnerable to a privilege escalation attack allowing any user to become a Domain Administrator through API calls.

Microsoft released updates to fix CVE-2019-0686 on February 12, 2019 as part of its regular Patch Tuesday cycle.

Technical Overview

According to Mollema the issue resides in that Exchange has high privileges by default in Active Directory. Due to the high privileges that Exchange has by default, Mollema was able to build proof-of-concept code that showed the Exchange Windows Permissions having WriteDaCl access allowing users to modify the domain privileges that could allow them synchronize hashed passwords of Active Directory through a Domain Controller Operation. Once an attacker has access to these hashed passwords, they are then able to impersonate users and authenticate to any service utilizing NTLM or Kerberos in the domain.

The attack itself has been built into two Python scripts, privexchange.py and ntlmrelayx.py, available on Mollema’s GitHub page. To start the attack, an the attacker would start the ntlmrelayx script in relay mode with LDAP on a Domain Controller and would need to supply user data, under the control of the attacker, to escalate privileges. Once the attacker is able to connect to the Domain Controller, the attacker would then run the privexchange script against a user who has a mailbox associated with them. If the attacker runs the attack against a user without a mailbox, the attack fails. The attacker can simply try again until the attacker gets successful authentication.

Once the attacker receives an “API call was successful” message, the script would wait a specified amount of time before sending across connection notifications to ntlmrelayx, giving the attacker DCSync privileges. Upon gaining this level of access, the attacker could then dump password hashes or other information and use the information to gain further footholds into the organization.

This attack has been fully verified on Windows 2016 DC, and Exchange 2016 (CU11), and relayed to a Server 2019 DC.

Potential Impact

A user with a mailbox could potentially obtain Domain Administrator rights, exposing the entire network to third party attacks or allow an attacker to dump out password hashes and create golden tickets in order to impersonate any user to gain access through NTLM or Kerberos authentication on the domain.

What You Should Do

Mollema recommends the following best practices to help safeguard networks against this threat until a patch is released:

  • Reduce Exchange privileges on the Domain object
  • Enable LDAP signing and channel binding
  • Block Exchange servers from connecting to arbitrary ports
  • Enable Extended Protection for Authentication on Exchange endpoints in IIS
  • Remove the registry key that allows relaying; and enforcing SMB signing

Microsoft released the following statement regarding Mollema’s findings:

“Microsoft has a strong commitment to security and a demonstrated track record of investigating and proactively updating impacted devices as soon as possible,” a Microsoft spokesperson said. “Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month.”

Microsoft released an update on February 12, 2019.

With the release of an update, the best practice is to deploy Microsoft’s February 2019 Exchange Update, or a newer version. Mollema’s recommendations remain good practice for overall system hardening.

deepwatch will provide additional information to protect its customers and others if and when it becomes available.

Supporting Information

  • http://www.freerepublic.com/focus/f-chat/3722731/posts
  • https://technewstube.com/the-register/1073824/youre-an-admin-youre-an-admin-youre-all-admins-thanks-to-this-microsoft-exchange-zero-day-and-/
  • https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on Linkedin
  • Share by Mail

Subscribe to the deepwatch Insider Blog

Kate Boucher

Kate Boucher is a deepwatch vulnerability management engineer.  She has worked in cybersecurity for 10 years with a focus on technical support and program management for 5 of those years.  Running marathons, practicing yoga and teaching her sons how to cook are her favorite hobbies.

Related Posts

Threat Report

02.26.21

Chasing Silver Sparrow: Keeping an Eye on the Mysterious macOS Malware

read more

Threat Report

02.22.21

Windows Event 4688 - Part I - Eh to Excellent

read more

Threat Report

02.18.21

SolarWinds Attack - Part II - Is MITRE ATT&CK Falken's Maze?

read more

let’s talk.

let’s talk.

deepwatch delivers results-driven managed security services by extending customers’ cybersecurity teams and proactively advancing their SecOps maturity. Powered by its cloud SecOps platform, deepwatch is trusted by leading global organizations to provide 24/7/365 managed security services.

deepwatch Footer Certification Icons
TRUSTe
  • Linkedin
  • Twitter
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Resources
    • Resource Library
    • News & Events
    • Insider Blog
  • Partners
    • Reseller Partners
    • Technology Partners
  • Contact
    • Let's Talk
    • Customer Login
    • Partner Login
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Contact
    • Let's Talk
    • Customers Login
    • Partner Login
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Resources
    • Resource Library
    • News & Events
    • Insights Blog
  • Partners
    • Reseller Partners
    • Technology Partners
Top

© Copyright 2021 deepwatch incorporated

Sitemap | Privacy Policy

Top
Scroll to top