Domain server

Microsoft Exchange bug exposes approximately 100,000 Windows domain credentials

Posted on Author Chad J. Seals Comments Off on Microsoft Exchange bug exposes approximately 100,000 Windows domain credentials

An uncorrected design flaw in the implementation of the Microsoft Exchange Autodiscover protocol has resulted in the leakage of approximately 100,000 login names and passwords for Windows domains around the world.

“This is a serious security issue, because if an attacker can control such domains or has the ability to ‘sniff’ traffic in the same network, he can capture domain credentials in plain text. (HTTP basic authentication) which are transferred over the wire “, Amit Serper from Guardicore noted in a technical report.

“Additionally, if the attacker has large-scale DNS poisoning capabilities (like an attacker of a nation-state), he could systematically siphon leaked passwords through a large-scale DNS poisoning campaign.” based on these Autodiscover TLDs. [top-level domains]. “

GitHub automatic backups

The exchange Auto discovery The service allows users to configure applications such as Microsoft Outlook with minimal user intervention, simply allowing the use of a combination of email addresses and passwords to retrieve other presets required to configure. their email clients.

The weakness discovered by Guardicore lies in a specific implementation of Autodiscover based on the SMALLPOX (aka “plain old XML”) An XML protocol that leaks web requests to Autodiscover domains outside the user’s domain, but in the same top-level domain.

In a hypothetical example where a user’s email address is “user@example.com”, the email client uses the Autodiscover service to create a URL to retrieve configuration data using one of the combinations below of mail domain, subdomain and path string, failing which it instantiates a “back-off” algorithm –

  • https://Autodiscover.example.com/Autodiscover/Autodiscover.xml
  • https://Autodiscover.example.com/Autodiscover/Autodiscover.xml
  • https://example.com/Autodiscover/Autodiscover.xml
  • https://example.com/Autodiscover/Autodiscover.xml

“This ‘back-off’ mechanism is the culprit for this leak because it is still trying to resolve the Autodiscover part of the domain and it will always try to ‘fail’, so to speak,” Serper explained. “Which means the result of the next attempt to create an Autodiscover URL would be:” https://Autodiscover.com/Autodiscover/Autodiscover.xml. “This means that anyone who owns Autodiscover.com will receive any requests that cannot reach the original domain.”

Prevent data breaches

Armed with this discovery and registering a number of Autodiscover top level domains (e.g. Autodiscover.com[.]br, Autodiscover.com[.]cn, automatic discovery[.]in, etc.) as honeypots Guardicore said it was able to access Autodiscover endpoint requests from different domains, IP addresses and clients resulting in 96,671 Unique credentials sent from Outlook, mobile email clients, and other applications interfacing with Microsoft’s Exchange server over a four-month period between April 16, 2021 and August 25, 2021.

The domains of this leaked credential belonged to multiple entities across multiple industry verticals spanning listed companies in China, investment banks, food manufacturers, power plants and real estate companies, the company noted. Cyber ​​Security Center based in Boston.

To make matters worse, the researchers developed an “old-fashioned” attack that involved sending a request to the client to switch to a weaker authentication scheme (that is, Basic HTTP authentication) instead of secure methods such as OAuth or NTLM, prompting the mail application to send domain credentials in clear text.

To mitigate Autodiscover leaks, it is recommended that Exchange users turn off Basic authentication support and add a list of all possible Autodiscover.TLD domains to a local hosts file or firewall configuration to prevent unwanted Autodiscover domain resolution. Software vendors are also advised to avoid implementing a “back-off” procedure that fails to build unforeseen areas like “Autodiscover”.

“Often, attackers will try to trick users into sending them their credentials by applying various techniques, whether technical or through social engineering,” Serper said. “However, this incident shows us that passwords can be disclosed outside the organization’s perimeter by a protocol intended to streamline IT operations with respect to configuring the email client without anyone from IT. or security knows it, which underscores the importance of proper segmentation and Zero Trust. “

Chad J. Seals
https://indocquent.com

Related Articles
Domain server

Domain and Hosting Market Size, Scope and Outlook

Posted on Author Chad J. Seals

New Jersey, United States – The study is a professional and comprehensive assessment of the Domain and hosting market with an emphasis on in-depth analysis of market data. The aim of the study is to provide a quick understanding of the business along with a comprehensive categorization of the Domain and Hosting market by type, […]
Domain server

How photos fall into the public domain and can be used in advertisements around the world

Posted on Author Chad J. Seals

But his example raises questions for the rest of us about copyright issues and the potential misuse of images in the age of social media, when personal photos can be reproduced and reused all over the internet. To better understand this complex minefield, we asked two experts to explain. What does public domain mean? Public […]
Domain server

Crypto exchange Bitbuy buys domain name from Kogan

Posted on Author Chad J. Seals

Kogan and Canadian crypto-trading platform Bitbuy have entered into a domain sale agreement that will see Kogan sell the bitbuy.com domain name to Bitbuy’s parent company, First Ledger. Kogan owns and manages a portfolio of domain names, including bitbuy.com. Under the sale agreement, Kogan will receive $1.5 million in cash and a warrant giving the […]