News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Microsoft Exchange 0day exploit code published

    Home Forums AskWoody blog Microsoft Exchange 0day exploit code published

    Viewing 8 reply threads
    • Author
      Posts
      • #316600 Reply
        woody
        Da Boss

        According to Thomas Claburn at The Reg: Microsoft Exchange appears to be currently vulnerable to a privilege escalation attack that allows any user wi
        [See the full post at: Microsoft Exchange 0day exploit code published]

        4 users thanked author for this post.
      • #316604 Reply
        anonymous
        Guest

        Read the Mollema article? There is a lot of info there?

      • #316607 Reply
        Mr. Natural
        AskWoody Plus

        I wonder if this could be related to the O365 outage in Europe? They were saying domain controllers were causing the outages.

        Red Ruffnsore

        1 user thanked author for this post.
        • #316612 Reply
          NetDef
          AskWoody_MVP

          My first thought as well, although we may never know.

           

          Makes me very glad my last self-hosted Exchange server was retired last year.  They were always very high maintenance (I supported pretty much every version from v.4.0 through v.2013 . . . )

          Now that they are all on O365 or GMail all I have to worry about is whether/when they get compromised and my users impersonated.

          Oh, wait . . .

           

          :O

          ~ Group "Weekend" ~

          2 users thanked author for this post.
      • #316636 Reply
        b
        AskWoody Plus

        Despite Microsoft’s CVE-2018-8581 saying “no mitigations or workarounds”, the FAQ has a single command to delete a registry value on the Exchange Server: “The vulnerability described by CVE-2018-8581 is unexploitable if the DisableLoopbackCheck registry value is removed.“, which is acknowledged by the exploit author in his list of seven alternative mitigations (and appears to be the only forthcoming fix anyway).

        So the exploit seems tricky to implement and easy to prevent. Theoretical rather than practical? (Of course, potential escalation to Domain Admin should not be trivialized.)

        2 users thanked author for this post.
        • #316685 Reply
          woody
          Da Boss

          That’s what the CVE says… and it’s partially backed up by a phrase in the Mollema article.

          I still haven’t figured out, tho, if it requires a MITM attack. Those are relatively hard to come by.

          • #316770 Reply
            b
            AskWoody Plus

            When Microsoft first published the CVE 10 weeks ago, the original proof-of-concept involved a domain user being able to intercept any other user’s email:

            Impersonating Users on Microsoft Exchange

            This week’s Mollema article and new proof-of-concept extends beyond Exchange to gain Domain Admin rights, but deleting the same registry value is the fix for both aspects.

            2 users thanked author for this post.
            • #317758 Reply
              anonymous
              Guest

              This is incorrect. Removing the registry key only prevents attackers from sending authentication back to the Exchange server (reflection attack), it does not prevent sending the authentication that Exchange performs to a Domain Controller (relay attack).

              The other mitigations should be applied to prevent the relay attack from working.

              A mitm position is not required to perform the attack.

              2 users thanked author for this post.
              woody, b
              • #317837 Reply
                b
                AskWoody Plus

                Thanks for the correction. I thought I had understood the tangled web.

                I now realize that Microsoft’s CVE-2018-8581 has not been updated since the Domain Controller attack was published.

                And the PowerShell script fix to protect Domain Admin rights was confirmed yesterday by DHS/CERT:
                VU#465632

                3 users thanked author for this post.
      • #316788 Reply
        gborn
        AskWoody_MVP

        I wonder if this could be related to the O365 outage in Europe? They were saying domain controllers were causing the outages.

        I don’t think so – the office365.com Exchange Online outage seems to be a broken load balancing issue in Domain Controller (not a hack, see my today article)

        The vulnerability CVE-2018-8581 has been known since Nov. 2018 – see my blog post

        https://borncity.com/win/2018/11/20/vulnerability-in-exchange-server-2010-2019/

        The only thing that’s new is the fact, that a Proof of Concept is now public.

        Microsoft Windows Insider MVP, Microsoft Answers Community Moderator, Blogger, Book author

        https://www.borncity.com/win/

        1 user thanked author for this post.
      • #316986 Reply
        rontpxz81
        AskWoody Lounger

        Forgive my ignorance, but does this effect Outllook?

        • #317008 Reply
          b
          AskWoody Plus

          Forgive my ignorance, but does this effect Outlook?

          Not really, although Outlook Web Access is used as part of the published mailbox hijacking attack.

          If your Outlook connects to a company or school Exchange server, it’s for an Exchange Admin to fix, patch or check registry settings; as in that case your emails could theoretically get diverted to someone else’s mailbox.

          2 users thanked author for this post.
      • #317175 Reply
        Aviel
        AskWoody Plus

        If domain admins members have no mailboxes, can the forces of evil still use this to steal their powers?

        • #317255 Reply
          Mr. Natural
          AskWoody Plus

          Magic 8 ball says yes.

          Red Ruffnsore

          Attachments:
      • #317734 Reply
        b
        AskWoody Plus

        U.S. Department of Homeland Security issued a vulnerability notification;
        CERT/CC Reports Microsoft Exchange 2013 and Newer are Vulnerable to NTLM Relay Attacks

        which links to CERT Coordination Center (CERT/CC) Vulnerability Note VU#465632;
        Microsoft Exchange 2013 and newer are vulnerable to NTLM relay attacks

        which provides a concise description of the issue and workarounds for Exchange Server or Domain Controller, along with;

        Impact

        An attacker that has credentials for an Exchange mailbox and also has the ability to communicate with both a Microsoft Exchange server and a Windows domain controller may be able to gain domain administrator privileges. It is also reported that an attacker without knowledge of an Exchange user’s password may be able to perform the same attack by using an SMB to HTTP relay attack as long as they are in the same network segment as the Exchange server.

        1 user thanked author for this post.
      • #321983 Reply
        b
        AskWoody Plus

        New mitigations and workarounds:

        ADV190007 | Guidance for “PrivExchange” Elevation of Privilege Vulnerability
        Security Advisory
        Published: 02/05/2019

        A planned update is in development.

        3 users thanked author for this post.
    Viewing 8 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Microsoft Exchange 0day exploit code published

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Cancel