Microsoft Exchange 2013 and newer versions are vulnerable to a new privilege escalation zero-day called “PrivExchange” that permits a remote attacker with the credentials of a single lowly Exchange mailbox user to gain Domain Controller admin privileges using a simple Python tool.
A security researcher with Dutch cyber-security firm Fox-IT, Dirk-jan Mollema has revealed the details regarding the zero-day. He claims that the zero-day is not just a single flaw but a mixture of three (default) settings and mechanisms which a hacker can misuse to increase his access from a hacked email account to the admin of the company’s internal domain controller (a server that handles security authentication requests within a Windows domain). The three issues are:
- A feature in Microsoft Exchange servers called Exchange Web Services (EWS) can be misused by the hackers to make the Exchange servers authenticate on an attacker-controlled website with the computer account of the Exchange server.
- The authentication is done using NTLM hashes sent using HTTP, and the Exchange server also fails to set the Sign and Seal flags for the NTLM operation, leaving the NTLM authentication vulnerable to relay attacks, thereby permitting the attacker to obtain the Exchange server’s NTLM hash.
- By default, the Microsoft Exchange servers are installed with access to many high privilege operations, so the attacker can use the Exchange server’s newly compromised computer account to gain admin access on a company’s Domain Controller, giving them the ability to create more backdoor accounts at will.
The PrivExchange attack works on Exchange and Windows Server DCs running with fully-patched versions.
No emergency patches have been issued for this vulnerability by Microsoft. But the researcher has included numerous mitigations in his blog that system administrators can use to prevent attackers from exploiting this zero-day and getting control over their companies’ server infrastructure.
The PrivExchange vulnerability has to be taken seriously as it is very easy to carry out and also allows the attackers complete control over a company’s Windows IT infrastructure.