Exchange NTLM relaying flaw
Sources
- https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
- https://isc.sans.edu/forums/diary/Relaying+Exchanges+NTLM+authentication...
- https://twitter.com/gentilkiwi/status/1088599133986975755
- https://www.us-cert.gov/ncas/current-activity/2019/01/28/CERTCC-Reports-...
Risks
An attacker with access to a mailbox on the domain using Exchange can escalate to domain admin using NTLM over HTTP and a relay attack.
A proof of concept is available on the Internet.
Description
Exchange servers have very high privileges in Active Directory domains. The Exchange Web Services(EWS) has a method called "PushSubscriptionRequest" that allows a user to subscribe for push events.
To subscribe to it, the user has to specify an URL. Once an event happens, the Exchange server will now try to connect to the attacker’s machine (the URL specified in the subscription) and will pass NTLM credentials.
These can be then relayed to a Domain Controller, allowing to perform any actions on the domain, including dumping all passwords from a Domain Controller by performing DCSync.
With hashes of all users, the attacker can further impersonate any other user and takeover the complete domain.
Recommended Actions
CERT.be recommends users to follow the following steps to mitigate this attack as a patch is not yet available:
- If you do not use EWS, disable it: Exchange Management Shell:
- New-ThrottlingPolicy -Name NoEWSSubscription -ThrottlingPolicyScope Organization -EWSMaxSubscriptions 0
- Restart-WebAppPool -Name MSExchangeServicesAppPool
- Use an internal firewall to prevent Exchange from connecting to your workstations. This does not prevent the exploit but makes exploitation a bit more difficult.
- Enable SMB and LDAP signing.
- Remove high privileges that Exchange has on the Domain object.