The experts described the attack scenario in a blog post and published a proof-of-concept code.
“Recently I came across a blog from the ZDI, in which they detail a way to let Exchange authenticate to attackers using NTLM over HTTP. This can be combined with an NTLM relay attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the
Mollema pointed out that Microsoft Exchange has high privileges by default in the Active Directory domain. An attacker could synchronize the hashed passwords of the Active Directory users via an ordinary Domain Controller operation, then he can impersonate users and authenticate to any service using NTLM or Kerberos authentication.
“The Exchange Windows Permissions group has WriteDacl access on the Domain object in Active Directory, which enables any member of this group to modify the domain privileges, among which is the privilege to perform DCSync operations,” he added.
The expert chained three issues to escalate from any user with a mailbox to Domain Admin access:
The attack leverages two Python-based tools, the
Mollema demonstrated that it’s possible to transfer automatic Windows authentication by connecting a machine on the network to a machine under the control of the attacker.
In order to authenticate the attacker to the Exchange, the expert used a method described by ZDI to obtain Exchange authentication using an arbitrary URL over HTTP through the Exchange
PushSubscription API using a reflection attack.
“In their blog
“The push notification service has an option to send a message every X minutes (where X can be specified by the attacker), even if no event happened. This is something that ensures Exchange will connect to us even if there is no activity in an inbox.”
Mollema also explained that it is possible to carry out a relay attack against LDAP by exploiting the high default privileges granted to
Exchange, an attacker could obtain DCSync rights.
Mollema also detailed potential mitigations for the attack in his post such as: