MS Exchange Privilege Escalation Attack

By

Security researcher Dirk-jan Mollema published Exchange 0-day POC code which demonstrates that it’s vulnerable to privilege escalation. There’s no patch, but Mollema has shared 5 mitigation recommendations.

Overview

On January 24, 2019, security researcher Dirk-jan Mollema, of Fox-IT in the Netherlands, published proof-of-concept code and published an explanation of an attack on Microsoft Exchange on his blog. It was assigned CVE-2019-0686.

Mollema explained that the attack can be performed on Exchange, which appears to be vulnerable to a privilege escalation attack allowing any user to become a Domain Administrator through API calls.

Microsoft released updates to fix CVE-2019-0686 on February 12, 2019 as part of its regular Patch Tuesday cycle.

Technical Overview

According to Mollema the issue resides in that Exchange has high privileges by default in Active Directory. Due to the high privileges that Exchange has by default, Mollema was able to build proof-of-concept code that showed the Exchange Windows Permissions having WriteDaCl access allowing users to modify the domain privileges that could allow them synchronize hashed passwords of Active Directory through a Domain Controller Operation. Once an attacker has access to these hashed passwords, they are then able to impersonate users and authenticate to any service utilizing NTLM or Kerberos in the domain.

The attack itself has been built into two Python scripts, privexchange.py and ntlmrelayx.py, available on Mollema’s GitHub page. To start the attack, an the attacker would start the ntlmrelayx script in relay mode with LDAP on a Domain Controller and would need to supply user data, under the control of the attacker, to escalate privileges. Once the attacker is able to connect to the Domain Controller, the attacker would then run the privexchange script against a user who has a mailbox associated with them. If the attacker runs the attack against a user without a mailbox, the attack fails. The attacker can simply try again until the attacker gets successful authentication.

Once the attacker receives an “API call was successful” message, the script would wait a specified amount of time before sending across connection notifications to ntlmrelayx, giving the attacker DCSync privileges. Upon gaining this level of access, the attacker could then dump password hashes or other information and use the information to gain further footholds into the organization.

This attack has been fully verified on Windows 2016 DC, and Exchange 2016 (CU11), and relayed to a Server 2019 DC.

Potential Impact

A user with a mailbox could potentially obtain Domain Administrator rights, exposing the entire network to third party attacks or allow an attacker to dump out password hashes and create golden tickets in order to impersonate any user to gain access through NTLM or Kerberos authentication on the domain.

What You Should Do

Mollema recommends the following best practices to help safeguard networks against this threat until a patch is released:

  • Reduce Exchange privileges on the Domain object
  • Enable LDAP signing and channel binding
  • Block Exchange servers from connecting to arbitrary ports
  • Enable Extended Protection for Authentication on Exchange endpoints in IIS
  • Remove the registry key that allows relaying; and enforcing SMB signing

Microsoft released the following statement regarding Mollema’s findings:

“Microsoft has a strong commitment to security and a demonstrated track record of investigating and proactively updating impacted devices as soon as possible,” a Microsoft spokesperson said. “Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month.”

Microsoft released an update on February 12, 2019.

With the release of an update, the best practice is to deploy Microsoft’s February 2019 Exchange Update, or a newer version. Mollema’s recommendations remain good practice for overall system hardening.

deepwatch will provide additional information to protect its customers and others if and when it becomes available.

Supporting Information

Subscribe to the deepwatch Insider Blog