Hundreds of Thousands of Credentials Leaked Due to Microsoft Exchange Protocol Flaw
Cybersecurity researchers have been able to capture hundreds of thousands of Windows domain and application credentials due to the design and implementation of the Autodiscover protocol used by Microsoft Exchange.
According to Microsoft, the Exchange Autodiscover service “provides an easy way for your client application to configure itself with minimal user input.” This allows users to, for example, configure their Outlook client by only needing to provide their username and password.
Back in 2017, researchers warned that implementation issues related to Autodiscover on mobile email clients could cause information leakage, and the vulnerabilities disclosed at the time were patched. However, an analysis conducted by cloud and data center security company Guardicore earlier this year showed that there are still some serious problems with the design and implementation of Autodiscover.
The problem is related to a “back-off” procedure. When Autodiscover is used to configure a client, the client attempts to build a URL based on the email address provided by the user. The URL looks something like this: https://Autodiscover.example.com/Autodiscover/Autodiscover.xml or https://example.com/Autodiscover/Autodiscover.xml.
However, if none of the URLs respond, the back-off mechanism kicks in and attempts to contact a URL that has the following format: http://Autodiscover.com/Autodiscover/Autodiscover.xml.
“This means that whoever owns Autodiscover.com will receive all of the requests that cannot reach the original domain,” Guardicore explained.
The company registered nearly a dozen Autodiscover domains (e.g. Autodiscover.com.cn, Autodiscover.es, Autodiscover.in, Autodiscover.uk) and assigned them to a web server under its control.
Between April 16, 2021, and August 25, 2021, their server captured more than 370,000 Windows domain credentials and over 96,000 unique credentials leaked from applications such as Outlook and mobile email clients.
The credentials came from publicly traded companies, food manufacturers, power plants, investment banks, shipping and logistics firms, real estate companies, and fashion and jewelry companies.
“This is a severe security issue, since if an attacker can control such domains or has the ability to ‘sniff’ traffic in the same network, they can capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire. Moreover, if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically syphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs,” Guardicore said.
The researchers have also devised an attack that can be used to downgrade a client’s authentication scheme, enabling an attacker to obtain credentials in clear text. The client will initially attempt to use a secure authentication scheme, such as NTLM or OAuth, which protect credentials against snooping, but the attack causes authentication to be downgraded to HTTP Basic authentication, where credentials are sent in clear text.
Guardicore noted that data leakage occurs due to how the protocol is implemented by application developers. They can prevent it from constructing URLs that can be abused by attackers.