September 16, 2019
Red Team CVE-2018-8581, Microsoft Exchange, NTLM Relay, Privilege Escalation, PushSubscription
Harvesting the credentials of a domain user during a red team operation can lead to execution of arbitrary code, persistence and domain escalation. However information that is stored over emails can be highly sensitive for an organisation and therefore threat actors focus can be to exfiltrate data from emails. This can be achieved either by adding a rule to the mailbox of a target user that will forward emails to an inbox that the attacker controls or by delegating access of a mailbox to their Exchange account.
Dustin Childs from Zero Day Initiative discovered a vulnerability in Microsoft Exchange that could allow an attacker to impersonate a target account. This vulnerability exist because by design Microsoft Exchange allows any user to specify a URL for Push Subscription and Exchange will send notifications to this URL. NTLM hashes are also leaked and can be used to authenticate with Exchange Web Services via NTLM relay with the leaked NTLM hash. The technical details of the vulnerability has been covered into the Zero Day Initiative blog.
Accessing the compromised account from Outlook Web Access (OWA) portal and selecting the permissions of the inbox folder will open a new window that will contain the permissions of the mailbox.
The target account should be added to have permissions over the mailbox. This is required in order to retrieve the SID (Security Identifier) of the account.
Opening the Network console in the browser and browsing a mailbox folder will generate a request that will be sent to the Microsoft Exchange server.
Examining the HTTP Response of the request will unveil the SID of the Administrator account.
The implementation of this attack requires two python scripts from the Zero Day Initiative GitHub repository. The serverHTTP_relayNTLM.py script requires the SID of the Administrator that has been retrieved, the IP address of the Exchange with the target port and the email account that has been compromised and is in control of the red team.
Once the script has the correct values it can be executed in order to start a relay server.
python serverHTTP_relayNTLM.py
The Exch_EWS_pushSubscribe.py requires the domain credentials and the domain of the compromised account and the IP address of the relay server.
Executing the python script will attempt to send the pushSubscribe requests to the Exchange via EWS (Exchange Web Services).
python Exch_EWS_pushSubscribe.py
The NTLM hash of the Administrator will be relayed back to the Microsoft Exchange server.
Emails tha will be sent to the mailbox of the target account (Administrator) will be forwarded automatically to the mailbox that is under the control of the red team.
The email will be forwarded at the inbox of the account that the Red Team controls.
A rule has been created to the target account by using NTLM relay to authenticate with the Exchange that will forward all the email messages to another inbox. This can be validated by checking the Inbox rules of the target account.
Microsoft Exchange users can connect their account (Outlook or OWA) to other mailboxes (delegate access) if they have the necessary permissions assigned. Attempting to open directly a mailbox of another account withouth permissions will produce the following error.
There is a python script which is exploiting the same vulnerability but instead of adding a forwarding rule is assigning permissions to the account to access any mailbox in the domain including domain administrator. The script requires valid credentials, the IP address of the Exchange server and the target email account.
Executing the python script will attempt to perform the elevation.
python2 CVE-2018-8581.py
Once the script is finished a message will appear that will inform the user that the mailbox of the target account can be displayed via Outlook or Outlook Web Access portal.
Authentication with Outlook Web Access is needed in order to be able to view the delegated mailbox.
Outlook Web Access has a functionality which allows an Exchange user to open the mailbox of another account if he has permissions.
The following Window will appear on the screen.
The mailbox of the Administrator will open in another tab to confirm the elevation of privileges.