New Exchange Authentication Vulnerability uses AD Admin to Gain Privileges

New Exchange Authentication Vulnerability uses AD Admin to Gain Privileges

STEALTHbits mitigates a new vulnerability that uses Exchange Authentication to gain AD Admin privileges

A new attack has been posted by Dirk-jan Mollemma, an independent security researcher that exploits how Exchange uses NTLM over HTTP to authenticate to the Active Directory Domain. Read the complete details.

This attack combines known vulnerabilities in a new way to achieve privilege escalation that can be used to attack AD. Here is how the attack works.

An attacker sends a request to Exchange that causes Exchange to respond with an NTLM authentication request over HTTP (#1).

Exchange responds (#2) and because NTLM is susceptible to relay attacks all the attacker has to do is forward the authentication request to AD (#3). AD thinks the attacker’s machine is Exchange and treats it with all of the associated privileges that Exchange normally has. The attacker can then create new admin accounts or modify privileges (#4) using the Exchange account. With this level of access, the attacker can use popular hacker toolkits like Mimikatz to perform a DCSync attack (#5) which can be used to obtain password hashes for any account in the domain. From there, the attacker can pretty much do anything they want to do.

STEALTHbits cannot prevent the Exchange portion of the attack, but we can mitigate the later stages where the exchange account is used to create shadow accounts and modify existing privileges inside Active Directory.

Here’s how STEALTHbits Can Help

#1 – DC Sync Prevention

StealthAUDIT can see if the default permissions to the Exchange Windows Permission group has rights to the domain object in Active Directory, which would allow the members of this group to perform DC Sync attacks to replicate user passwords from AD.  This can give an attacker the immediate ability to get the Kerberos service account (krbtgt) and create golden tickets.

StealthINTERCEPT can monitor and block DC Sync attacks, stopping that attack vector in its tracks.

#2 – Permission Mitigation

The #1 recommended mitigation from the blog is “Remove the unnecessary high privileges that Exchange has on the Domain object”.  This is something you can report on with AD Permissions Analyzer and clean up using StealthAUDIT.  These permissions are overprovisioned and reducing them mitigates this attack.

If you are a current customer and have these products, you are covered.  If not, you can download trial versions of our products to mitigate these attacks.

>>>Download StealthINTERCEPT to prevent DC Sync.  Our trial version will let you detect and block these attacks while Microsoft works on a patch.

>>>Download StealthAUDIT AD Permissions Analyzer to analyze excessive permissions.

A Microsoft Advisory has been posted, but a patch is not currently available at this time. Learn more.


Don’t miss a post! Subscribe to ‘The Insider Threat Security’ Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.

Privacy Preference Center

      Necessary

      Advertising

      Analytics

      Other