[ad_1]
A flaw in Microsoft’s Autodiscover protocol, used to configure Exchange clients like Outlook, can cause user credentials to leak to disbelievers in certain circumstances.
The result is that your email client connected to Exchange can give your username and password to a stranger, if the loophole is successfully exploited. In a report due for release on Wednesday, security firm Guardicore said it identified a design error that leaks web requests to Autodiscover domains that are outside of the user’s domain but in the same domain of the user. first level (TLD).
The Exchange Autodiscover protocol, especially the POX XML-based version, allows client applications to obtain the configuration data needed to communicate with the Exchange server. It is invoked, for example, when adding a new Exchange account to Outlook. After a user provides a name, email address, and password, Outlook tries to use Autodiscover to configure the client.
As Guardicore explained in a report provided to The register, the client parses the email address – for example, [email protected] – and tries to construct a URL for the configuration data using combinations of email domain, subdomain, and path string as follows:
- https://Autodiscover.example.com/Autodiscover/Autodiscover.xml
- http://Autodiscover.example.com/Autodiscover/Autodiscover.xml
- https://example.com/Autodiscover/Autodiscover.xml
- http://example.com/Autodiscover/Autodiscover.xml
If the client does not receive a response from these URLs – which would happen if Exchange was misconfigured or was somehow prevented from accessing designated resources – the Autodiscover protocol tries a “back” algorithm. -off “which uses autodiscover with a TLD as a hostname. For example:
- http://Autodiscover.com/Autodiscover/Autodiscover.xml
“This ‘back-off’ mechanism is the culprit behind this leak because it is still trying to resolve the Autodiscover part of the domain and it will always try to ‘fail’, so to speak,” explained Amit Serper, vice president of Guardicore. . president of security research for North America, in the report. “This means that anyone who owns Autodiscover.com will receive all requests that cannot reach the original domain.”
In an email to The register, Serper said, “I believe it was the result of careless, or rather naive, design. [The] the same flaws appear in other Microsoft protocols of similar functions. “
Detecting a potential problem with making credentials available for any old TLD with Autodiscover, Guardicore has acquired several variations on this topic: Autodiscover.com.br, Autodiscover.com.cn, Autodiscover.com.co, Autodiscover. uk and Autodiscover.online, among others.
After assigning these domains to its web server, Guardicore began to receive many requests for Autodiscover endpoints from various IP addresses and clients. It turns out that a lot of Exchange servers and clients aren’t configured very carefully.
… with the authorization header already populated with the credentials in HTTP basic authentication
“The most notable thing about these requests was that they asked for the relative path of /Autodiscover/Autodiscover.xml with the authorization header already populated with the credentials in HTTP Basic Authentication, ”said Serper, who observed that web requests like this should not be sent blindly before authentication .
HTTP Basic Access Authentication is Base64 encoded but not encrypted, so this is equivalent to sending credentials in the clear.
Between April 16, 2021 and August 25, 2021, Guardicore received approximately 649,000 HTTP requests destined for its Autodiscover domains, 372,000 requests with credentials in Basic Authentication, and approximately 97,000 pre- single sign-ons.
Referrals came from listed companies in China, food manufacturers, investment banks, power plants, energy delivery companies, real estate companies, shipping and logistics operations and fashion / jewelry companies.
Many requests also used alternatives to basic HTTP authentication, such as NTLM and Oauth, which did not immediately expose the associated credentials. To access it, Guardicore has set up a demotion attack.
So, when receiving an HTTP request with an authentication token or an NLTM hash, the Guardicore server responded with an HTTP 401 with the WWW-Authenticate: basic header, which tells the client that the server only supports HTTP Basic authentication. Then, to make the session look legitimate, the company used a Let’s Encrypt certificate to prevent an SSL warning and ensure that an appropriate Outlook authentication prompt is presented for potential victims to enter their credentials in. full confidence.
Serper said he had no way of knowing if anyone had abused this loophole. “However, given that these protocol design flaws have been known for some time, I wouldn’t be surprised if a malicious actor with DNS poisoning capabilities tried it,” he said. “If a malicious actor is on the same network as the victim (eg on the same LAN / WLAN), carrying out a DNS poisoning attack in order to have these credentials disclosed to the victim is a totally viable scenario.”
These Autodiscover issues persisted despite previous security research that identified related issues. At Black Hat Asia 2017 [PDF], Shape Security researchers analyzed Autodiscover client implementations in the Samsung Mail (Android) app and Apple iOS Mail app and discovered flaws that allowed remote attackers to obtain user credentials through domain name collisions.
In his post, Serper advised Exchange users to turn off HTTP Basic Authentication and suggested adding a list of all possible Autodiscover.TLD domains to a local hosts file or to a parent configuration. fire to block unwanted Autodiscover domain resolution. He also urged software vendors to avoid implementing a “back-off” function that fails to an unforeseen area.
The Autodiscover flaw extends beyond Microsoft to third-party vendors who have implemented the protocol in their own products. Serper said Guardicore is currently working with an unidentified large vendor on this matter and will release more details once the remediation process is complete.
Because this issue can be mitigated with proper configuration, Microsoft is unlikely to treat it as a security issue that needs immediate attention. Serper said it’s unclear how the Windows giant will choose to respond. “Microsoft has a habit of dismissing critical issues as features,” he said. “That being said, I can’t imagine why Microsoft wouldn’t address such issues.” ®
[ad_2]
Source link