Until it is determined whether this attack can be relayed via WebDAV (i.e., via HTTP through your firewall even if it's blocking SMB), I would also disable the "Web Client" service on your Exchange server. /cc @wdormannhttps://twitter.com/certcc/status/1089570070693642240 …
-
Show this thread
-
Replying to @mkolsek
What's the scenario that you're looking to protect against here? One where a firewall exists between the attacker and the Exchange server, but there isn't one between the attacker and the Domain Controller?
2 replies 0 retweets 1 like -
This Tweet is unavailable.
-
IMO, the problem is because Exchange 2013 and later don't sign/seal the NTLM authentication request from the Exchange server. This allows an attacker to relay the request without needing to know the credentials of the Exchange server account.
2 replies 0 retweets 0 likes -
The documented EWS PushSubscriptionRequest() function allows an Exchange mailbox owner to cause the Exchange server to make an HTTP request to an arbitrary web server. And it happens to attempt NTLM authentication while at it.
1 reply 0 retweets 0 likes -
So the subscription request is originally HTTP with authentication? Not SMB?
1 reply 0 retweets 0 likes
Yes. See these screenshots of Exchange 2010 traffic vs. Exchange 2013. All the magic is happening over HTTP, as that's what the exploit's call to PushSubscriptionRequest() tells the Exchange server to connect to. Note the difference between the sign/seal flags and wonder...pic.twitter.com/uAQ4YSEoKo
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.