Harvesting the credentials of a domain user during a red team operation can lead to execution of arbitrary code, persistence and domain escalation. However information that is stored over emails can be highly sensitive for an organisation and therefore threat actors focus can be to exfiltrate data from emails. This can be achieved either by adding a rule to the mailbox of a target user that will forward emails to an inbox that the attacker controls or by delegating access of a mailbox to their Exchange account.

Dustin Childs from Zero Day Initiative discovered a vulnerability in Microsoft Exchange that could allow an attacker to impersonate a target account. This vulnerability exist because by design Microsoft Exchange allows any user to specify a URL for Push Subscription and Exchange will send notifications to this URL. NTLM hashes are also leaked and can be used to authenticate with Exchange Web Services via NTLM relay with the leaked NTLM hash. The technical details of the vulnerability has been covered into the Zero Day Initiative blog.

Email Forwarding

Accessing the compromised account from Outlook Web Access (OWA) portal and selecting the permissions of the inbox folder will open a new window that will contain the permissions of the mailbox.

Inbox Permissions

The target account should be added to have permissions over the mailbox. This is required in order to retrieve the SID (Security Identifier) of the account.

Add Permissions for the Target Account

Opening the Network console in the browser and browsing a mailbox folder will generate a request that will be sent to the Microsoft Exchange server.

POST Request to Microsoft Exchange

Examining the HTTP Response of the request will unveil the SID of the Administrator account.

Administrator SID

The implementation of this attack requires two python scripts from the Zero Day Initiative GitHub repository. The serverHTTP_relayNTLM.py script requires the SID of the Administrator that has been retrieved, the IP address of the Exchange with the target port and the email account that has been compromised and is in control of the red team.

Configuration serverHTTP_relayNTLM script

Once the script has the correct values it can be executed in order to start a relay server.

 python serverHTTP_relayNTLM.py 
Relay Server

The Exch_EWS_pushSubscribe.py requires the domain credentials and the domain of the compromised account and the IP address of the relay server.

Push Subscribe Script Configuration

Executing the python script will attempt to send the pushSubscribe requests to the Exchange via EWS (Exchange Web Services).

 python Exch_EWS_pushSubscribe.py 
pushSubscribe python script
Exchange Response
XML Reponse

The NTLM hash of the Administrator will be relayed back to the Microsoft Exchange server.

Relay Administrator NTLM
Relay Administrator NTLM to Exchange

Emails tha will be sent to the mailbox of the target account (Administrator) will be forwarded automatically to the mailbox that is under the control of the red team.

Email to target account

The email will be forwarded at the inbox of the account that the Red Team controls.

Email forwarded automatically

A rule has been created to the target account by using NTLM relay to authenticate with the Exchange that will forward all the email messages to another inbox. This can be validated by checking the Inbox rules of the target account.

Rule – Forward Admin Emails

Delegate Access

Microsoft Exchange users can connect their account (Outlook or OWA) to other mailboxes (delegate access) if they have the necessary permissions assigned. Attempting to open directly a mailbox of another account withouth permissions will produce the following error.

Open Another Mailbox – No Permissions

There is a python script which is exploiting the same vulnerability but instead of adding a forwarding rule is assigning permissions to the account to access any mailbox in the domain including domain administrator. The script requires valid credentials, the IP address of the Exchange server and the target email account.

Script Configuration

Executing the python script will attempt to perform the elevation.

 python2 CVE-2018-8581.py 
Privilege Escalation Script

Once the script is finished a message will appear that will inform the user that the mailbox of the target account can be displayed via Outlook or Outlook Web Access portal.

Privilege Escalation Script – Delegation Complete

Authentication with Outlook Web Access is needed in order to be able to view the delegated mailbox.

Outlook Web Access Authentication

Outlook Web Access has a functionality which allows an Exchange user to open the mailbox of another account if he has permissions.

Open Another Mailbox

The following Window will appear on the screen.

Open Another Mailbox Window

The mailbox of the Administrator will open in another tab to confirm the elevation of privileges.

References

Advertisements