Privilege escalation vulnerability uncovered in Microsoft Exchange

A researcher has discovered an alarming way that an attacker controlling a Microsoft Exchange mailbox account could potentially elevate their privileges to become a Domain Administrator.

The consequences of this would be devastating, but according to Dirk-jan Mollema of Dutch company Fox-IT, it can be achieved by combining three separate weaknesses in some configurations of Exchange into a single attack.

The first issue, writes Mollema, is that by default, members of the Exchange Windows Permissions group have the ability to modify advanced privileges on the Domain object in Active Directory (AD):

Users or computers with this privilege can perform synchronization operations that are normally used by Domain Controllers to replicate, which allows attackers to synchronize all the hashed passwords of users in the Active Directory.

That makes compromising Exchange a choice target for an attacker looking to take control of the Domain Admin account – but how to achieve this?

One well-understood possibility is through a relay attack against Microsoft’s aged NTLM authentication protocol (encapsulated inside SMB or HTTP/S) to steal an Exchange user’s credentials.

To simplify, the attacker infects that computer, relays the credentials, and impersonates them on the Exchange server without setting off any alarms.

There is a limitation, however – the attacker’s machine that sets up the relay must be on the same network.

Mollema then noticed that another researcher had discovered how Exchange could be made to authenticate to an arbitrary URL over HTTP using the Exchange PushSubscription feature, a version of the so-called ‘reflection attack’.

Integrating this with the relay attack already mentioned could bridge a remote attacker to the Exchange server, giving them a path to the Domain admin prize.

It might even be possible to do this without credentials:

If we perform an SMB to HTTP (or HTTP to HTTP) relay attack (using LLMNR/NBNS/mitm6 spoofing) we can relay the authentication of a user in the same network segment to Exchange EWS and use their credentials to trigger the callback.

Mollema has released proof-of-concept tools, PrivExchange, which demonstrates the attack against the following fully patched versions of Exchange:

  • Exchange 2013 on Server 2012R2, relayed to a Server 2016 DC
  • Exchange 2016 on Server 2016, relayed to a Server 2019 DC
  • Exchange 2019 on Server 2019, relayed to a Server 2019 DC

Exchange 2010 SP3 seemed not to be not affected, said Mollema.

While the vulnerability described by Mollema has a lot of moving parts, the only current fixes involve configuration tweaks.

Mitigations include removing Exchange’s Domain object privileges where possible, stopping Exchange servers form connecting to computers on arbitrary ports, implementing Microsoft’s November mitigation for the privilege elevation flaw covered by CVE-2018-8581.