Microsoft Exchange 2013 0day “PrivExchange”

Microsoft Exchange 2013 0day “PrivExchange”


Overview

A vulnerability has been discovered in Microsoft Exchange 2013 which could allow for privilege escalation. Microsoft Exchange is a mail server developed for Microsoft Windows. Successful exploitation of this vulnerability could allow for privilege escalation to the Domain Admin account by compromising any user with a mailbox on the server. Access to the Domain Admin account could allow an attacker to perform a variety of malicious actions including the ability implement backdoor accounts on the system.

Threat Intelligence

A proof-of-concept exploit has been developed and published by the researchers who discovered this vulnerability. At this time the Masergy Threat Intelligence team is not aware of this exploit being utilized in-the-wild however we will continue to monitor the situation.

Systems Affected

Microsoft Exchange 2013 and newer

Technical Summary

According to the researcher (Dirk-jan Mollema) this zero-day isn’t a new vulnerability but rather a technique of applying known vulnerabilities and protocol weaknesses in a new attack. According to Mollema, using the following three components allows the escalation of any user with a mailbox to Domain Admin access:

  • Exchange servers have too high of privileges assigned by default, including write access to the Domain Object in Active Directory.
  • NTLM authentication is vulnerable to relay attacks because the Exchange server does not set the Sign and Seal flags on NTLM operations which can allow an attacker to obtain the server’s NTLM hash.
  • A feature in Exchange Web Services (EWS) can allow attackers to trick the Exchange Server to authenticate on an attacker controlled URL over HTTP.

Successful exploitation of this vulnerability could allow for privilege escalation to the Domain Admin account. Access to the Domain Admin account could allow for an attacker to perform a series of malicious actions including the ability to implement backdoor accounts on the system. Even if the attacker does not have credentials, it is possible to still trigger Exchange to authenticate to an attacker controlled URL by performing a SMB to HTTP relay attack.

Recommendations

We recommend the following actions be taken:

  • Consider implementing mitigation workarounds found at the reference links below.
  • Apply appropriate patches provided by Microsoft, once available, after appropriate testing.
  • Apply the Principle of Least Privilege to all systems and services.

Patches

We are not aware of a vendor patch being available at this time. We recommend following any future guidance provided by Microsoft.

References

Proof of Concept:

https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin

Carnegie Mellon CERT:

https://kb.cert.org/vuls/id/465632/

We use cookies to improve your web experience, better understand how our site is used, and personalize advertising. By continuing to use this site you are giving us your consent to do this. Read more and make cookie choices by visiting our privacy policy.