A massive security hole has been found which means most Microsoft Exchange Servers 2013 and above can be hacked to give criminals full Domain Controller admin privileges, allowing them to create accounts on the target server and come and go at will.
All that is needed for the PrivExchange attack is the email address and password of a mailbox user, and in some circumstances not even that.
Hackers are able to compromise the server using a combination of 3 vulnerabilities, which are:
- Microsoft Exchange servers have a feature called Exchange Web Services (EWS) that attackers can abuse to make the Exchange servers authenticate on an attacker-controlled website with the computer account of the Exchange server.
- This authentication is done using NTLM hashes sent via HTTP, and the Exchange server also fails to set the Sign and Seal flags for the NTLM operation, leaving the NTLM authentication vulnerable to relay attacks, and allowing the attacker to obtain the Exchange server’s NTLM hash (Windows computer account password).
- Microsoft Exchange servers are installed by default with access to many high privilege operations, meaning the attacker can use the Exchange server’s newly compromised computer account to gain admin access on a company’s Domain Controller, giving them the ability to create more backdoor accounts at will.
The hack works on fully patched Windows servers, and no patch is currently available. There is however a number of mitigations which can be read here.