Newsletter Archives

  • Microsoft Exchange 0day exploit code published

    Posted on January 25, 2019 at 14:33 CST by Comment in the Forums

    According to Thomas Claburn at The Reg:

    Microsoft Exchange appears to be currently vulnerable to a privilege escalation attack that allows any user with a mailbox to become a Domain Admin.

    Claburn goes on to reference Dirk-jan Mollema’s proof of concept post:

    This blog combines a few known vulnerabilities and known protocol weaknesses into a new attack. There are 3 components which are combined to escalate from any user with a mailbox to Domain Admin access:

    • Exchange Servers have (too) high privileges by default
    • NTLM authentication is vulnerable to relay attacks
    • Exchange has a feature which makes it authenticate to an attacker with the computer account of the Exchange server

    Here’s where it gets thick. Er. Mollema claims his method allows an “attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Exchange.”

    Microsoft, however, has apparently weighed in on the elevation of privilege bug in CVE-2018-8581:

    To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user.

    And there’s the rub. The headlines make it sound like anybody with an Exchange mailbox can become a Domain Admin. The Microsoft CVE report (which, I assume, relates to the same bug) says that a man-in-the-middle attack is necessary.

    Big difference.

    Anybody know the details?

    Windows Patches/Security ,
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    April 2025
    S M T W T F S
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.