Researchers discovered a design flaw in Microsoft Exchange’s Autodiscover Protocol. This allowed researchers to access 372,072 Windows domain credentials as well as 96,671 distinct sets of credentials from third-party email client applications like Microsoft Outlook. Amit Serper, who was the one to discover the problem, said that the two main issues are the Autodiscover protocol’s design, specifically its “back-off” algorithm and poor implementation in certain applications.
An attacker can sniff networks or take control of specific domains and capture domain credentials as plain text (HTTP Basic authentication). This is a serious security problem. Additionally, attackers can use large-scale DNS poisoning attacks to collect domain credentials, compromising security for many companies.
AutoDiscover creates an endpoint list using the domain name. This is where autodiscover.xml files are usually found. The following formats are used by the email client to create a URL when configuring an email account.
- https://autodiscover.domain.com/autodiscover/autodiscover.xml
- http://autodiscover.domain.com/autodiscover/autodiscover.xml
- https://domain.com/autodiscover/autodiscover.xml
- http://domain.com/autodiscover/autodiscover.xml
If none of the endpoints respond, the “backoff” procedure will be initiated. This is the flaw in the design. If all of the endpoints fail, the next attempt at retrieving autodiscover.xml is made.
http://Autodiscover.com/Autodiscover/Autodiscover.xml
The autodiscover.com domain owner is now able to accept all queries that do not reach their original domains. Researchers purchased several TLDs from Autodiscover, such as Autodiscover.fr or Autodiscover.com.co. They then assigned them to a webserver where significant numbers of Autodiscover requests came in with an Authorization header. These requests came from a variety of verticals, including investment banks, power plants, and manufacturing firms.
Organizations can create their own Autodiscover domains to mitigate the security problem and also block any other Autodiscover.TLD domains from being blocked in local DNS or at the firewall. Poor implementation of AutoDiscover protocols in email clients can also cause security issues. Software vendors can avoid this issue by not allowing the application to fail in the “back off” process where autodiscover.TLD domains will be constructed. System administrators need to disable basic authentication for Microsoft Exchange servers. Clear-text credentials cannot be sent over the network, which could make them easy to intercept.
Conclusion
Domain credentials are commonly used to log into an Exchange-based e mail box. It is crucial to be aware of this fact. If domain credentials are compromised on a large scale, the impact can be devastating. This is especially true if 2FA isn’t configured. It can lead to financial loss for the target company. A compromised business email account can allow access to sensitive information in the mailbox and reset passwords. It is possible to leak domain credentials in order to establish a foothold on the network using internet-exposed services like SSL VPN and Remote Desktop Gateways. Yes, RDP gateways are still available! possible through unpatched Exchange servers.
You can find more information about the researcher who found the fault in Microsoft Exchange AutoDiscover here.
Testing Microsoft Exchange
Do you want to learn more about Microsoft Exchange Penetration Testing Keep checking the Hacking Tutorials website for updates as we work on an Exchange Penetration Testing tutorial series.
Udemy Hacking Courses
Bug Bounty: An Advanced Guide for Finding Good Bugs
Real World Bug Bounty Techniques
Website Hacking / Penetration Testing & Bug Bounty Hunting
Be a bug bounty hunter. You can hack websites and web apps like black-hat hackers, then secure them like professionals.
