News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Microsoft Exchange 0day exploit code published

    Posted on January 25th, 2019 at 14:33 woody Comment on the AskWoody Lounge

    According to Thomas Claburn at The Reg:

    Microsoft Exchange appears to be currently vulnerable to a privilege escalation attack that allows any user with a mailbox to become a Domain Admin.

    Claburn goes on to reference Dirk-jan Mollema’s proof of concept post:

    This blog combines a few known vulnerabilities and known protocol weaknesses into a new attack. There are 3 components which are combined to escalate from any user with a mailbox to Domain Admin access:

    • Exchange Servers have (too) high privileges by default
    • NTLM authentication is vulnerable to relay attacks
    • Exchange has a feature which makes it authenticate to an attacker with the computer account of the Exchange server

    Here’s where it gets thick. Er. Mollema claims his method allows an “attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Exchange.”

    Microsoft, however, has apparently weighed in on the elevation of privilege bug in CVE-2018-8581:

    To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.

    And there’s the rub. The headlines make it sound like anybody with an Exchange mailbox can become a Domain Admin. The Microsoft CVE report (which, I assume, relates to the same bug) says that a man-in-the-middle attack is necessary.

    Big difference.

    Anybody know the details?