News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon

  • Microsoft Exchange 0day exploit code published

    Posted on woody Comment on the AskWoody Lounge

    Home Forums AskWoody blog Microsoft Exchange 0day exploit code published

    Tagged: ,

    This topic contains 15 replies, has 8 voices, and was last updated by

     b 1 week, 4 days ago.

    • Author
      Posts
    • January 25, 2019 at 2:33 pm #316600 Reply

      woody
      Da Boss

      According to Thomas Claburn at The Reg: Microsoft Exchange appears to be currently vulnerable to a privilege escalation attack that allows any user wi
      [See the full post at: Microsoft Exchange 0day exploit code published]

      4 users thanked author for this post.
      ch100,
      rontpxz81,
      abbodi86,
      PhotM
    • January 25, 2019 at 2:56 pm #316604 Reply

      anonymous

      Read the Mollema article? There is a lot of info there?

    • January 25, 2019 at 3:02 pm #316607 Reply

      Mr. Natural
      AskWoody Plus

      I wonder if this could be related to the O365 outage in Europe? They were saying domain controllers were causing the outages.

      Red Ruffnsore reporting from the front lines.

      1 user thanked author for this post.
      NetDef
      • January 25, 2019 at 3:40 pm #316612 Reply

        NetDef
        AskWoody_MVP

        My first thought as well, although we may never know.

         

        Makes me very glad my last self-hosted Exchange server was retired last year.  They were always very high maintenance (I supported pretty much every version from v.4.0 through v.2013 . . . )

        Now that they are all on O365 or GMail all I have to worry about is whether/when they get compromised and my users impersonated.

        Oh, wait . . .

         

        :O

        ~ Group "Weekend" ~

        2 users thanked author for this post.
        ch100,
        PKCano
    • January 25, 2019 at 6:14 pm #316636 Reply

      b
      AskWoody Plus

      Despite Microsoft’s CVE-2018-8581 saying “no mitigations or workarounds”, the FAQ has a single command to delete a registry value on the Exchange Server: “The vulnerability described by CVE-2018-8581 is unexploitable if the DisableLoopbackCheck registry value is removed.“, which is acknowledged by the exploit author in his list of seven alternative mitigations (and appears to be the only forthcoming fix anyway).

      So the exploit seems tricky to implement and easy to prevent. Theoretical rather than practical? (Of course, potential escalation to Domain Admin should not be trivialized.)

      Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker "Saluted blockhead" (Group ASAP)

      2 users thanked author for this post.
      ch100,
      AlexEiffel
      • January 25, 2019 at 9:57 pm #316685 Reply

        woody
        Da Boss

        That’s what the CVE says… and it’s partially backed up by a phrase in the Mollema article.

        I still haven’t figured out, tho, if it requires a MITM attack. Those are relatively hard to come by.

        • January 26, 2019 at 10:33 am #316770 Reply

          b
          AskWoody Plus

          When Microsoft first published the CVE 10 weeks ago, the original proof-of-concept involved a domain user being able to intercept any other user’s email:

          Impersonating Users on Microsoft Exchange

          This week’s Mollema article and new proof-of-concept extends beyond Exchange to gain Domain Admin rights, but deleting the same registry value is the fix for both aspects.

          Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker "Saluted blockhead" (Group ASAP)

          2 users thanked author for this post.
          woody,
          Elly
          • January 29, 2019 at 4:05 am #317758 Reply

            anonymous

            This is incorrect. Removing the registry key only prevents attackers from sending authentication back to the Exchange server (reflection attack), it does not prevent sending the authentication that Exchange performs to a Domain Controller (relay attack).

            The other mitigations should be applied to prevent the relay attack from working.

            A mitm position is not required to perform the attack.

            2 users thanked author for this post.
            woody,
            b
            • January 29, 2019 at 7:01 am #317837 Reply

              b
              AskWoody Plus

              Thanks for the correction. I thought I had understood the tangled web.

              I now realize that Microsoft’s CVE-2018-8581 has not been updated since the Domain Controller attack was published.

              And the PowerShell script fix to protect Domain Admin rights was confirmed yesterday by DHS/CERT:
              VU#465632

              Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker "Saluted blockhead" (Group ASAP)

              3 users thanked author for this post.
              NetDef,
              Elly,
              woody
    • January 26, 2019 at 11:59 am #316788 Reply

      gborn
      AskWoody_MVP
      Mr. Natural wrote:

      I wonder if this could be related to the O365 outage in Europe? They were saying domain controllers were causing the outages.

      I don’t think so – the office365.com Exchange Online outage seems to be a broken load balancing issue in Domain Controller (not a hack, see my today article)

      The vulnerability CVE-2018-8581 has been known since Nov. 2018 – see my blog post

      https://borncity.com/win/2018/11/20/vulnerability-in-exchange-server-2010-2019/

      The only thing that’s new is the fact, that a Proof of Concept is now public.

      • This reply was modified 3 weeks ago by
         gborn.
      1 user thanked author for this post.
      Mr. Natural
    • January 27, 2019 at 10:51 am #316986 Reply

      rontpxz81
      AskWoody Lounger

      Forgive my ignorance, but does this effect Outllook?

      • January 27, 2019 at 12:32 pm #317008 Reply

        b
        AskWoody Plus
        rontpxz81 wrote:

        Forgive my ignorance, but does this effect Outlook?

        Not really, although Outlook Web Access is used as part of the published mailbox hijacking attack.

        If your Outlook connects to a company or school Exchange server, it’s for an Exchange Admin to fix, patch or check registry settings; as in that case your emails could theoretically get diverted to someone else’s mailbox.

        Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker "Saluted blockhead" (Group ASAP)

        2 users thanked author for this post.
        Elly,
        columbia2011
    • January 28, 2019 at 4:34 am #317175 Reply

      Aviel
      AskWoody Lounger

      If domain admins members have no mailboxes, can the forces of evil still use this to steal their powers?

      • January 28, 2019 at 8:19 am #317255 Reply

        Mr. Natural
        AskWoody Plus

        Magic 8 ball says yes.

        Red Ruffnsore reporting from the front lines.

        Attachments:
        You must be logged in to view attached files.
    • January 28, 2019 at 11:55 pm #317734 Reply

      b
      AskWoody Plus

      U.S. Department of Homeland Security issued a vulnerability notification;
      CERT/CC Reports Microsoft Exchange 2013 and Newer are Vulnerable to NTLM Relay Attacks

      which links to CERT Coordination Center (CERT/CC) Vulnerability Note VU#465632;
      Microsoft Exchange 2013 and newer are vulnerable to NTLM relay attacks

      which provides a concise description of the issue and workarounds for Exchange Server or Domain Controller, along with;

      Impact

      An attacker that has credentials for an Exchange mailbox and also has the ability to communicate with both a Microsoft Exchange server and a Windows domain controller may be able to gain domain administrator privileges. It is also reported that an attacker without knowledge of an Exchange user’s password may be able to perform the same attack by using an SMB to HTTP relay attack as long as they are in the same network segment as the Exchange server.

      Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker "Saluted blockhead" (Group ASAP)

      1 user thanked author for this post.
      columbia2011
    • February 5, 2019 at 10:44 pm #321983 Reply

      b
      AskWoody Plus

      New mitigations and workarounds:

      ADV190007 | Guidance for “PrivExchange” Elevation of Privilege Vulnerability
      Security Advisory
      Published: 02/05/2019

      A planned update is in development.

      Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker "Saluted blockhead" (Group ASAP)

      3 users thanked author for this post.
      woody,
      columbia2011,
      Kirsty
    • Author
      Posts

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Microsoft Exchange 0day exploit code published

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.

Welcome to our unique respite from the madness.
It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced.

Plus Membership

Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.

AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.

Recent Replies

February 2019
M T W T F S S
« Jan    
 123
45678910
11121314151617
18192021222324
25262728  

Forums

Topics

AskWoody blog
5304
AskWoody Central
145
Suggestions about improvi
104
Tips for using the Lounge
30
Getting started
3
Outside the box
159
Rants
65
Fun Stuff
52
Learn to code
6
Travel
4
Rumors and what-ifs
26
The Junk Drawer
4
AskWoody support
1665
Windows
1193
Windows 10
569
Questions: Win10
259
Windows 10 beta builds
33
Windows 10 cumulative upd
10
Windows 10 version 1511 -
2
Windows 10 version 1703 -
32
Windows 10 version 1709 -
45
Windows 10 version 1607 -
5
Windows 10 version 1803 -
66
Windows 10 version 1809 -
29
Windows 8.1
55
Questions: Win 8.1 (and W
29
Windows 8.1 (and Win 8) p
17
Windows 7
451
Questions: Windows 7
273
Windows 7 patches
129
Windows Vista, XP and ear
10
Questions: Vista, XP back
2
Questions: Windows Mobile
4
Microsoft Office by versi
108
Questions: Microsoft Offi
25
Office 365 and Click-to-R
31
Office 2010 and earlier f
15
Office 2016 for PC
8
Office 2013 for PC
6
Office 2019 for PC
1
PC hardware
52
Questions: Microsoft Surf
7
Questions: What hardware
11
Questions: How to trouble
7
Questions - Maintenance a
1
Connected home / Internet
34
Questions: Amazon Echo/Al
3
Questions: Google Home
2
Questions: Microsoft Inte
2
Questions: Other home/IoT
15
Other platforms - for Win
153
Linux for Windows wonks
80
macOS for Windows wonks
31
iOS for Windows wonks
5
Android for Windows wonks
14
Chromebooks and ChromeOS
17
Questions: Browsers and d
120
Updates for browsers, app
34
Internet Explorer and Edg
0
Other browsers
1
Other desktop and Microso
0
Productivity software by
4
Word processing help
0
Spreadsheet help
0
Database help
0
Presentation apps
0
Email programs
3
Graphics and Multimedia p
1
Visual Basic for Applicat
0
Other MS apps
0
Knowledge Base
37
Tools
84
Code Red - Security/Privacy ad
194
Developers, developers, develo
32
Other MS software - .NET,
17
DevOps Lounge
12
Web design and developmen
0
Admin IT Lounge
117
WSUS, SCCM, Exchange and
31
Managing updates in organ
2
Application servers - Exc
0
Tech Accessibility
17
Testing Forum
3
Networking - routers, firewall
1
Social media - Tools, Configur
0
Powered by WordPress
Theme designed by My Mobiles, modifications by PapayaSoft