An uncorrected design flaw in the implementation of the Microsoft Exchange Autodiscover protocol has resulted in the leakage of approximately 100,000 login names and passwords for Windows domains around the world.
“This is a serious security issue, because if an attacker can control such domains or has the ability to ‘sniff’ traffic in the same network, he can capture domain credentials in plain text. (HTTP basic authentication) which are transferred over the wire “, Amit Serper from Guardicore noted in a technical report.
“Additionally, if the attacker has large-scale DNS poisoning capabilities (like an attacker of a nation-state), he could systematically siphon leaked passwords through a large-scale DNS poisoning campaign.” based on these Autodiscover TLDs. [top-level domains]. “
The exchange Auto discovery The service allows users to configure applications such as Microsoft Outlook with minimal user intervention, simply allowing the use of a combination of email addresses and passwords to retrieve other presets required to configure. their email clients.
The weakness discovered by Guardicore lies in a specific implementation of Autodiscover based on the SMALLPOX (aka “plain old XML”) An XML protocol that leaks web requests to Autodiscover domains outside the user’s domain, but in the same top-level domain.
In a hypothetical example where a user’s email address is “firstname.lastname@example.org”, the email client uses the Autodiscover service to create a URL to retrieve configuration data using one of the combinations below of mail domain, subdomain and path string, failing which it instantiates a “back-off” algorithm –
“This ‘back-off’ mechanism is the culprit for this leak because it is still trying to resolve the Autodiscover part of the domain and it will always try to ‘fail’, so to speak,” Serper explained. “Which means the result of the next attempt to create an Autodiscover URL would be:” https://Autodiscover.com/Autodiscover/Autodiscover.xml. “This means that anyone who owns Autodiscover.com will receive any requests that cannot reach the original domain.”
Armed with this discovery and registering a number of Autodiscover top level domains (e.g. Autodiscover.com[.]br, Autodiscover.com[.]cn, automatic discovery[.]in, etc.) as honeypots Guardicore said it was able to access Autodiscover endpoint requests from different domains, IP addresses and clients resulting in 96,671 Unique credentials sent from Outlook, mobile email clients, and other applications interfacing with Microsoft’s Exchange server over a four-month period between April 16, 2021 and August 25, 2021.
The domains of this leaked credential belonged to multiple entities across multiple industry verticals spanning listed companies in China, investment banks, food manufacturers, power plants and real estate companies, the company noted. Cyber Security Center based in Boston.
To make matters worse, the researchers developed an “old-fashioned” attack that involved sending a request to the client to switch to a weaker authentication scheme (that is, Basic HTTP authentication) instead of secure methods such as OAuth or NTLM, prompting the mail application to send domain credentials in clear text.
To mitigate Autodiscover leaks, it is recommended that Exchange users turn off Basic authentication support and add a list of all possible Autodiscover.TLD domains to a local hosts file or firewall configuration to prevent unwanted Autodiscover domain resolution. Software vendors are also advised to avoid implementing a “back-off” procedure that fails to build unforeseen areas like “Autodiscover”.
“Often, attackers will try to trick users into sending them their credentials by applying various techniques, whether technical or through social engineering,” Serper said. “However, this incident shows us that passwords can be disclosed outside the organization’s perimeter by a protocol intended to streamline IT operations with respect to configuring the email client without anyone from IT. or security knows it, which underscores the importance of proper segmentation and Zero Trust. “