Microsoft Exchange vulnerable to 'PrivExchange' zero-day

Proof-of-concept tool lets attackers escalate a hacked inbox to admin on a company's internal domain controller.
Written by Catalin Cimpanu, Contributor
Microsoft Exchange

Microsoft Exchange 2013 and newer are vulnerable to a zero-day named "PrivExchange" that allows a remote attacker with just the credentials of a single lowly Exchange mailbox user to gain Domain Controller admin privileges with the help of a simple Python tool.

Also: What's next on the Microsoft hardware front

Details about this zero-day have been made public last week by Dirk-jan Mollema, a security researcher with Dutch cyber-security firm Fox-IT.

According to the researcher, the zero-day isn't one single flaw, but a combination of three (default) settings and mechanisms that an attacker can abuse to escalate his access from a hacked email account to the admin of the company's internal domain controller (a server that handles security authentication requests within a Windows domain). The three issues, according to Mollema, are:

  1. Microsoft Exchange servers have a feature called Exchange Web Services (EWS) that attackers can abuse to make the Exchange servers authenticate on an attacker-controlled website with the computer account of the Exchange server.
  2. This authentication is done using NTLM hashes sent via HTTP, and the Exchange server also fails to set the Sign and Seal flags for the NTLM operation, leaving the NTLM authentication vulnerable to relay attacks, and allowing the attacker to obtain the Exchange server's NTLM hash (Windows computer account password).
  3. Microsoft Exchange servers are installed by default with access to many high privilege operations, meaning the attacker can use the Exchange server's newly compromised computer account to gain admin access on a company's Domain Controller, giving them the ability to create more backdoor accounts at will.

The PrivExchange attack has been confirmed to work on Exchange and Windows Server DCs (Domain Controllers) running with fully-patched versions.

Microsoft has not released any emergency patches for the PrivExchange vulnerability. However, Mollema has included several mitigations in his blog that system administrators can deploy to prevent attackers from exploiting this zero-day and getting control over their companies' server infrastructure.

Must read

This article from the CERT/CC team from Carnegie Mellon University also details the same mitigations.

The PrivExchange vulnerability should not be taken lightly. It is both easy to carry out thanks to the availability of a ready-made proof-of-concept tool, but also because it grants attackers full control over a company's Windows IT infrastructure, the Holy Grail of most hacker groups.

Many of 2018's most dangerous Android and iOS security flaws still threaten your mobile security

Related stories:

More security coverage:

Editorial standards