Relaying Exchange?s NTLM authentication to domain admin (and more)
About a week ago a very interesting proof of concept tool and blog post were published by security researcher Dirk-jan Mollema (@_dirkjan), which you can read at here.
Now folks, this is HUGE. Extremely huge. If you are running Exchange make sure that you read this diary and the original blog.
Basically, the PoC tool exploits the fact that Exchange servers have very high privileges in Active Directory domains – the WriteDacl privilege that allows them to change domain privileges. Exchange servers are part of the Exchange Trusted Subsystem group, which is further included in the Exchange Windows Permissions group which has this critical privilege enabled.
The issue is in Exchange Web Services (EWS) PushSubscription service, specifically PushSubscriptionRequest method that allows a user to subscribe for push events. The user specifies the location of the client Web service for push notifications. In other words, once an event happens, the Exchange server will connect to the URL specified in the call to the PushSubscriptionRequest method.
Now, once a subscription has been created, relaying is the final step. The Exchange server will now try to connect to the attacker’s machine (the URL specified in the subscription) and will happily pass NTLM credentials. These can be then relayed to a Domain Controller (provided there is no SMB signing – see below for mitigations). Dirk-jan’s exploit relays the credentials to LDAP in order to escalate a user’s privilege: it adds the Replication-Get-Changes-All privilege to an account effectively allowing that account to perform any actions on the domain, including dumping all passwords from a Domain Controller by performing DCSync. With hashes of all users, the attacker can further impersonate any other user and takeover the complete domain.
Running the exploit is very simple - once the subscription is created, Exchange connects to the supplied URL as shown in the figure below:
Now, the biggest issue here is that this works with the latest version of Exchange, fully patched. Various versions are listed on the original blog, I tested with a fully patched version of Exchange 2016. Note that the deletion of registry key as specified in Microsoft’s advisory for CVE-2018-8581 does not fix this vulnerability! It prevents a malicious user from impersonating another user on the Exchange server, but not on a Domain Controller, through LDAP. Additionally, I have installed patches on an Exchange 2016 servers, and the registry key was not removed (even though Microsoft’s advisory says that they will remove it).
The best mitigation options as far as we are aware of are the following:
- First, if you do not use EWS push/pull subscriptions disable them (see here by @gentilkiwi),
- Additionally, use an internal firewall to prevent Exchange from connecting to your workstations – typically workstations should connect to Exchange, not the opposite. This does not prevent the exploit (an attacker can find a different server that Exchange can connect to), but makes exploitation a bit more difficult.
- Enable SMB and LDAP signing.
- Remove high privileges that Exchange has on the Domain object.
Of course, be very careful when modifying any of the settings above to make sure that you will not break your Exchange deployments.
Finally, the exploit does not work on Exchange 2010 which has signing enabled by default, but this setting does not exist in Exchange 2013, 2016 or 2019. Go figure :/
UPDATE 1:
Here's a bit more information about detection of the vulnerability:
- Regarding vulnerable servers, Exchange 2013, 2016 and 2019 have been confirmed as vulnerable. The screenshot above from my test was with a fully patched Exchange 2016.
- Exchange 2010 appears not to be vulnerable - it will send the request to the subscribed URL, but due to signing you should not be able to relay it.
- Exchange 2007 is unknown at this time, although it appears to have the required methods (PushSubscriptionRequest) so it might be vulnerable. If you manage to test it, let us know.
- The best way to check if the vulnerability has been abused against you is to monitor for network logon events on your domain controllers. This is what you'll be looking for:
- EventCode=4624
- LogonType=3
- Authentication Package=NTLM
- Account Name = YOUREXCHANGESERVER$
- By looking for events above you'll be able to detect NTLM relay attacks where Exchange server's credentials were used. The Source Network Address field will show the IP address of the attacker (where the ntlmrelayx / impacket was running).
- There is another good event (thanks to Davy for sending this), 5136. This event will show when the DACL was modified, but it will have the target account's SID only so you can't search by name.
Thanks to all readers for great and useful comments.
We’ll continue researching the issue – if you have any new or information to share - let us know!
Web App Penetration Testing and Ethical Hacking | Amsterdam | Mar 31st - Apr 5th 2025 |
Comments
Pentesters doing internal pentests right now are really lucky ;)
Thanks for this post ! Not a lot of media coverage for this (why ??) so I'm glad you're talking about this beauty.
Monitoring AD "5136" events for a few GUID can help you to detect successful attempts of the PoC as explained here:
http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec/
Davy
Anonymous
Jan 29th 2019
5 years ago
Good catch on the event, indeed monitoring for 5136 can catch the relay.
As far as I can see the usernames are not directly visible (instead it logs SID's) but still such events should not happen too often - especially not coming from the Exchange server (since this is what will be logged as the Account Name).
Thanks,
Bojan
Anonymous
Jan 29th 2019
5 years ago
If you have an ADC/load balancer, you can drop all connections that send a POST /EWS/ with privexchange.py's push subscription XML data.
Anonymous
Jan 29th 2019
5 years ago
I thought the exploit had succeeded (PCAP showed successful LDAP bind), but after emailing Dirk-jan Mollema it looks like subsequent queries may have failed due to previously setting the registry entries for CVE-2018-8518. Still, with the potential impact if exploited it's probably a bad idea to not mitigate this for Exchange 2010.
Anonymous
Jan 29th 2019
5 years ago
Anonymous
Jan 29th 2019
5 years ago
- Exchange 2013, 2016 and 2019 have been confirmed as vulnerable
- Exchange 2010 apparently has signing enabled so NTLM relaying should not work. I haven't tested this as I don't have Exchange 2010 handy
- Exchange 2007 is unknown status, however according to the documentation, it does support the PushSubscriptionRequest method so it could be affected.
I'll see about updating the diary as we get more information.
Bojan
Anonymous
Jan 29th 2019
5 years ago
Anonymous
Jan 30th 2019
5 years ago
I updated Exchange to the latest patch level and noticed that the registry key was not removed.
Then I deleted it manually, but the exploit still worked. My understanding is that it prevents "reflection" attacks where you use NTLM relaying against the Exchange itself.
Bojan
Anonymous
Jan 30th 2019
5 years ago
Sample log:
Subject :
Security ID: testdomain\testuser
Account Name: testuser
Account Domain: testdomain
Logon ID: 0x26BB12
Object:
Object Server: DS
Object Type: domainDNS
Object Name: DC=testdomain,DC=com
Handle ID: 0x0
Operation:
Operation Type: Object Access
Accesses: Control Access
Access Mask: 0x100
Properties: Control Access
{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}
{19195a5b-6da0-11d0-afd3-00c04fd930c9}
~Jovsky
Anonymous
Jan 31st 2019
5 years ago
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190007
Anonymous
Feb 7th 2019
5 years ago