Microsoft Exchange Server Arbitrary User Impersonation Vulnerability Handling Guide

Microsoft Exchange Server Arbitrary User Impersonation Vulnerability Handling Guide

January 10, 2019 | Adeline Zhang

1 Vulnerability Overview

Recently, a security researcher released details of an arbitrary user impersonation vulnerability (CVE-2018-8581) in Microsoft Exchange Server (also known as Exchange Web Server, EWS for short), revealing that an authenticated attacker could exploit this vulnerability to impersonate arbitrary accounts or even gain privileges of the target user. Currently, the vulnerability’s proof of concept (PoC) has been made publicly available. However, Microsoft has not released any security patches to address it, but provided a workaround in its official security advisory. Users of this software are advised to take precautions as soon as possible.

Reference links:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8581

https://www.zerodayinitiative.com/blog/2018/12/19/an-insincere-form-of-flattery-impersonating-users-on-microsoft-exchange

2 Scope of Impact

Affected versions:

  • Microsoft Exchange Server 2010
  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

3 Vulnerability Check

3.1 Registry Check

Users can check whether the following registry key exists: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\DisableLoopbackCheck

If this registry key exists and its value is 1, this vulnerability is deemed to exist.

Note: The registry key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\DisableLoopbackCheck, is used for the user authentication loopback check. When its value is set to 1, it is disabled.

 

4 Vulnerability Protection

Currently, Microsoft has not released security patches to address this vulnerability, but provided a workaround in its official security advisory. Users of this software can protect against this vulnerability by deleting the DisableLoopbackCheck registry key. The detailed procedure is as follows:

Open a command prompt window with administrative privileges and execute the following command:

The deletion of this registry key takes effect immediately without the need to restart the operating system or EWS. According to the security advisory released by Microsoft, EWS, after being updated, will not enable this registry key by default. Users are advised to keep an eye on updates available on Microsoft’s official website.

To ensure the stable running of this service, users can back up the registry before executing the command to delete the registry key. The procedure is as follows:

  1. Press the Window key and R and on your keyboard and type exe to open the registry editor.
  2. Choose File > Export to save the registry file to a local disk drive for backup.

5 Vulnerability Analysis

This vulnerability is due to the combined exploitation of a SSRF vulnerability and other vulnerabilities. EWS allows arbitrary users to craft an URL for Push Subscription and the server will attempt to send notifications to this URL. EWS uses CredentialCache.DefaultCredentials for connections, but, on the server, CredentialCache.DefaultCredentials runs under NT AUTHORITY\SYSTEM, leading the server to send NTLM hashes to the attacker’s email address.

Meanwhile, on EWS, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\DisableLoopbackCheck is set to 1 by default, resulting in the attacker using the NTLM hashes for HTTP authentication. For example, it is possible to use these hashes to access EWS. The attacker, with NT AUTHORITY\SYSTEM privileges, can launch a privileged session with TokenSerializationRight and then use a SOAP header to impersonate any desired user.

 Note NT AUTHORITY\SYSTEM is a built-in system account which has full control privileges for the local system. In work group mode, this account has no access to network resources. This account is usually used for service operation and has no password.

 

Appendix

  • Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

  • About NSFOCUS

NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.

For more information about NSFOCUS, please visit:

https://www.nsfocusglobal.com

NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.