Shulou(Shulou.com)05/31 Report--

How to pretend to be a user on MicrosoftExchange, I believe that many inexperienced people are at a loss about this. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Words written in the front

Today, let's take a look at how attackers (unauthenticated users) can exploit this Exchange vulnerability to impersonate legitimate users and perform malicious operations on Exchange servers.

So let's get to the point where we'll analyze this server-side request forgery (SSRF) vulnerability in detail and demonstrate how an attacker pretends to be a legitimate user.

Loophole analysis

In the process of implementing the attack, the attacker needs to exploit a SSRF vulnerability and combine other security flaws to achieve identity camouflage. Exchange allows any user to specify an URL address to implement subscription push, and the server attempts to send notifications directly to that URL address. The vulnerability exists because the Exchange server uses CredentialCache.DefaultCredentials for network connections:

In the Exchange Web service, CredentialCache.DefaultCredentials runs with NT AUTHORITY\ SYSTEM privileges. This will cause the Exchange server to send a NTLM hash to the attacker's server. The Exchange server also sets the following registry keys by default:

HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa\ DisableLoopbackCheck= 1

At this point, the attacker will be able to use these NTLM hashes for HTTP authentication. For example, they can use these hashes to access the Exchange Web service (EWS). Because it runs with NT AUTHORITY\ SYSTEM privileges, an attacker can use TokenSerializationRight to gain a privileged "session" and use a SOAP header to impersonate a specific user.

In the SOAP header sample given below, the attacker used SID (Smur1-5-21-4187549019-2363330540-1546371449-500) to disguise himself as an administrator user:

Vulnerability exploitation

For demonstration purposes, we used the following two Python scripts:

1. ServerHTTP_relayNTLM.py: it can take NTLM hashes from inbound connections and use them for EWS authentication.

2. Exch_EWS_pushSubscribe.py: let PushSubscription call our serverHTTP_relayNTLM.py.

Script download address: [portal] (Python-ntlm module is also required)

First, we need to get the SID of the target user, roughly as follows:

1. Log in to OWA as an authenticated user:

2. Next, create a new folder, and we use "tempFold" here. Click "Permissions" in the drop-down menu:

3. Add the e-mail address of the user that needs to be impersonated. Here we use victim@contoso.local:

4. Press F12, select the "Network" tab, and then click "Permissions" in the drop-down menu of the newly created folder again:

5. We need to check the response returned from the first service.svc?action=GetFolder request and view the method:

Body- > ResponseMessages- > Items- > 0-> Folders- > 0-> PermissionSet- > Permissions- > N-> UserId- > SID

The N in the sample is 2, but you can choose the right one according to your own situation. PrimarySmtpAddress is the email address of the target user. If the PermissionSet parameter is not included in the response, we need to look at another service.svc?action=GetFolder request:

6. We choose to use SID in serverHTTP_relayNTLM.py to operate, and we also need to select an unblocked TCP port to forward outbound connections on the Exchange server. For example, if TCP port 8080 is available.

Next, modify the serverHTTP_relayNTLM.py with real information:

Once the correct script variables are set, we are ready to begin:

7. The next step is to set the variables in the Exch_EWS_pssushSubscribe.py script:

When we are done, we can execute the script:

In the last step, we need to use the event trigger mechanism to push notifications. We can do something like create and send new messages, or delete newly created folders to do this:

Once successful, our serverHTTP_relayNTLM.py can receive inbound connections from the Exchange server:

After the attack succeeds, we will see UpdateInboxRulesResponse ResponseClass= "Success" in the response. This means that the inbound rule has been successfully added to the target user's mailbox and all inbound messages will be forwarded to the attacker.

Next, we need to test this new rule. We need to use any email account to send an email to the target user, but do not use our newly added rule (attacker@contoso.local), because the rule will not work if the forwarding address and destination address are the same. Now, log in to the administrator account and send some information to the target user:

Check the attacker's inbox and we can see this email:

After reading the above, have you mastered how to pretend to be a user on MicrosoftExchange? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.