Microsoft Exchange appears to be currently vulnerable to a privilege escalation attack that allows any user with a mailbox to become a Domain Admin.
On Thursday, Dirk-jan Mollema, a security researcher with Fox-IT in the Netherlands, published proof-of-concept code and an explanation of the attack, which involves the interplay of three separate issues.
According to Mollema, the primary problem is that Exchange has high privileges by default in the Active Directory domain.
Exchange Windows Permissionsgroup has
WriteDaclaccess on the Domain object in Active Directory, which enables any member of this group to modify the domain privileges, among which is the privilege to perform DCSync operations,” he explained in his post.
This allows an attacker to synchronize the hashed passwords of the Active Directory users through a Domain Controller operation. Access to these hashed passwords allows the attacker to impersonate users and authenticate to any service using NTLM (a Microsoft authentication protocol) or Kerberos authentication within that domain.
It has been tested on Exchange 2013 (CU21) on Windows Server 2012 R2, relayed to (fully patched) Windows Server 2016 DC and Exchange 2016 (CU11) on Windows Server 2016, and relayed to a Server 2019 DC, again fully patched.
Patches to fix this vulnerability may be released next month.
Full note: https://www.theregister.co.uk/2019/01/25/microsoft_exchange_domain_admin_eop/