Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
ProxyToken: An Authentication Bypass in Microsoft Exchange Server
Simon Zuckerbraun - ZDIPosted 4 Years Ago- Microsoft Exchange is used all over the place in big organizations and is extremely complex. As a result, this is starting to become a goldmind for bug hunters.
- Microsoft Exchange creates two sites in IIS. The first site is for web access (OWA) and is known as the frontend. The frontend website is mostly a proxy to the backend. For all post-authentication requests, the front end’s main role is to repackage the requests and proxy them to corresponding endpoints on the Exchange backend site. The other site is known as the backend and handles the bulk of the actual interactions.
- Exchange supports a feature called Delegated Authentication supporting cross-forest topologies. Because the frontend cannot perform the authentication in this situation, the request is forwarded to the backend. But, the backend only authenticates the request if the
DelegatedAuthModuleis loaded. - If the
DelegatedAuthModuleis not loaded then we have a problem. The frontend forwards the request to the backend for authentication. However, the backend has no idea that it needs to do auth on theSecurityTokenheader. What does this mean? A complete auth bypass! - This small authentication bypass can be used to change the configuration actions on an Exchange site for an arbitrary user. As a result, a copy of all emails can be seen by the attacker, almost undetected. Boom!
