Vulnerability Exchange: One Domain Account For More Than Exchange Server RCE

Conference:  Defcon 29



Microsoft Exchange Server is one of the most famous mail servers in the world. It not only stores a large amount of sensitive corporate information, but also plays an important role in Microsoft Active Directory, so it has become a high-value target for both APT groups and red teams. In the past few months, some high-risk vulnerabilities in Exchange Server have been exposed, which mainly target vulnerable ASP.NET code. But the architecture of Exchange Server is complicated, and its attack surface is not limited to ASP.NET, this talk will analyze and attack Exchange Server from a different perspective. I will share the following two new vulnerabilities I found, as well as the new attack surfaces and how I chained several techniques to successfully exploit them in detail. 1. One of them can result in arbitrary mailbox takeover, attackers can read emails, download attachments, send emails, etc. as any Exchange user. 2. The other can lead to remote code execution on Exchange Server, attackers can gain local administrator privileges and execute arbitrary commands. Furthermore, there is an interesting point, even if you have applied the latest Exchange Server patches, your Exchange Server may still be compromised by this type of attack. For red teams, Exchange Server RCE is only the beginning. Usually, there are some high-privileged domain users and groups on Exchange Server, I will also introduce a new method in depth to help you perform lateral movement and even privilege escalation to Domain Admin after achieving Exchange Server RCE. These vulnerabilities have been reported to MSRC and the exploit tools will be released after the talk. References: [1] https://www.zerodayinitiative.com/blog/2018/12/19/an-insincere-form-of-flattery-impersonating-users-on-microsoft-exchange [2] https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory [3] https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/ews-operations-in-exchange [4] https://github.com/quickbreach/ExchangeRelayX [5] https://blog.compass-security.com/2020/05/relaying-ntlm-authentication-over-rpc/ [6] https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ [7] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/425a7c53-c33a-4868-8e5b-2a850d40dc73 [8] https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ [9] https://github.com/SecureAuthCorp/impacket [10] https://github.com/gdedrouas/Exchange-AD-Privesc [11] https://labs.f-secure.com/tools/sharpgpoabuse/