Posted on Leave a comment

VU#465632: Microsoft Exchange 2013 and newer are vulnerable to NTLM relay attacks

Microsoft Exchange supports a API called Exchange Web Services(EWS). One of the EWS API functions is called PushSubscription,which can be used to cause the Exchange server to connect to an arbitrary website. Connections made using the PushSubscription feature will attempt to negotiate with the arbitrary web server using NTLM authentication. Starting with Microsoft Exchange 2013,the NTLM authentication over HTTP fails to set the NTLM Sign and Seal flags. The lack of signing makes this authentication attempt vulnerable to NTLM relay attacks. Microsoft Exchange is by default configured with extensive privileges with respect to the Domain object in Active Directory. Because the Exchange Windows Permissions group has WriteDacl access to the Domain object,this means that the Exchange server privileges obtained using this vulnerability can be used to gain Domain Admin privileges for the domain that contains the vulnerable Exchange server.

What are your thoughts?