A vulnerability has been discovered in Microsoft Exchange 2013 which could allow for privilege escalation. Microsoft Exchange is a mail server developed for Microsoft Windows. Successful exploitation of this vulnerability could allow for privilege escalation to the Domain Admin account by compromising any user with a mailbox on the server. Access to the Domain Admin account could allow an attacker to perform a variety of malicious actions including the ability implement backdoor accounts on the system.
A proof-of-concept exploit has been developed and published by the researchers who discovered this vulnerability. At this time the Masergy Threat Intelligence team is not aware of this exploit being utilized in-the-wild however we will continue to monitor the situation.
Microsoft Exchange 2013 and newer
According to the researcher (Dirk-jan Mollema) this zero-day isn’t a new vulnerability but rather a technique of applying known vulnerabilities and protocol weaknesses in a new attack. According to Mollema, using the following three components allows the escalation of any user with a mailbox to Domain Admin access:
- Exchange servers have too high of privileges assigned by default, including write access to the Domain Object in Active Directory.
- NTLM authentication is vulnerable to relay attacks because the Exchange server does not set the Sign and Seal flags on NTLM operations which can allow an attacker to obtain the server’s NTLM hash.
- A feature in Exchange Web Services (EWS) can allow attackers to trick the Exchange Server to authenticate on an attacker controlled URL over HTTP.
Successful exploitation of this vulnerability could allow for privilege escalation to the Domain Admin account. Access to the Domain Admin account could allow for an attacker to perform a series of malicious actions including the ability to implement backdoor accounts on the system. Even if the attacker does not have credentials, it is possible to still trigger Exchange to authenticate to an attacker controlled URL by performing a SMB to HTTP relay attack.
We recommend the following actions be taken:
- Consider implementing mitigation workarounds found at the reference links below.
- Apply appropriate patches provided by Microsoft, once available, after appropriate testing.
- Apply the Principle of Least Privilege to all systems and services.
We are not aware of a vendor patch being available at this time. We recommend following any future guidance provided by Microsoft.
Proof of Concept:
Carnegie Mellon CERT: