Microsoft has recently issued a security advisory following the discovery of an NTLM relay attack vector against on-premises Exchange servers.
An attacker who is able to intercept the NTLM authentication in an NTLM relay attack, is able to discover the Exchange Server’s credentials and potentially elevate their privileges to a Domain Administrator. This would allow the Domain to be compromised and allow the attacker to obtain all the hashed passwords for the Domain from a Domain Controller host.
The flaw is present in the Exchange Web Services (EWS) API and until Microsoft corrects the code, by implementing Sign and Seal flags, the only viable protection is to disable EWS. However disabling EWS would prevent many clients from being able to interact with the Exchange server including Outlook for Mac, some iOS native mail clients and any application that relies on Exchange notifications.
In order to exploit this vulnerability, a successful man-in-the-middle attack is required between the Exchange server and an arbitrary client device using EWS. The Exchange server also needs to be configured to use NTLM authentication.
If the attack is successful in capturing the NTLM credentials for the Exchange server, it may be possible for an attacker to elevate their privileges to Domain Administrator level because of the way many Exchange servers are configured within Active Directory.
It should be noted that NTLM Relay attacks are not a new type of vulnerability. Due to configuration weaknesses in the SMB protocol setup in many organisations, NTLM Relay attacks are a very common way in which our consultants gain a foothold during Internal Penetration Tests.
The researcher Dirk-jan Mollema who first published details of the vulnerability stated the following:
“The Exchange Windows Permissions group has WriteDaclaccess on the Domain object in Active Directory, which enables any member of this group to modify the domain privileges, among which is the privilege to perform DCSync operations. Users or computers with this privilege can perform synchronization operations that are normally used by Domain Controllers to replicate, which allows attackers to synchronize all the hashed passwords of users in the Active Directory.”
The detailed explanation of the attack can be found on Mollema’s blog here:
Office365 instances are not affected by this vulnerability and neither are Exchange instances which have NTLM disabled.