A study conducted by Guardicore security researcher Amit Serper recently demonstrated the potential for large-scale credentials compromise owing to a pre-existing security vulnerability in Microsoft applications utilizing the Autodiscover protocol.
The Autodiscover Protocol is used by Microsoft Exchange for automatic configuration of clients such Microsoft Outlook.
Researchers were able to leak nearly 100,000 unique login names and passwords for Windows domains worldwide, they revealed in a report. Among the compromised information was 372,072 Windows domain credentials and 96,671 unique credentials.
The vulnerability affects all kinds of applications that interface with Exchange Server, such as Microsoft Outlook and various mobile email clients.
Test the real-world effectiveness of your security controls while achieving compliance and protecting your brand. Cyberwarfare expert, NATO offensive Top Security Clearance and ex-NSA are main members of our core team. Our ethical hackers will find weaknesses in your infrastructure, exploit them, and report their findings.
How does the Autodiscover bug leak your credentials?
In short, the bug is a design flaw that causes the protocol to “leak” web requests to Autodiscover domains outside of the user’s domain but in the same TLD, e.g., Autodiscover.com.
To carry out their investigation, Guardicore purchased and configured multiple such Autodiscover domains with a TLD suffix and set them up to reach a web server under their control.
A specific implementation of the POX (aka “plain old XML”) XML protocol is what leads to the vulnerability. Particularly in situations where applications exchange raw XML documents using standard transfer protocols such as HTTP, SMTP, FTP, and others.
When adding a new Microsoft Exchange Account to Outlook, for example, Autodiscover attempts to put together a URL to fetch configuration data based on the email domain.
The next part is explained by Serpa, “In the case that none of these URLs are responding, Autodiscover will start its “back-off” procedure. This “back-off” mechanism is the culprit of this leak because it is always trying to resolve the Autodiscover portion of the domain and it will always try to “fail up,” so to speak. Meaning, the result of the next attempt to build an Autodiscover URL would be:”
In the end, all of the requests unable to reach the original domain will simple be exposed to the owner of Autodiscover.com.
Exposing the vulnerability allows an attacker to sniff the connection and capture domain credentials in plain text (HTTP basic authentication) in transfer.
Microsoft dragging their feet on a known critical issue?
In the meantime, Microsoft Senior Director Jeff Jones claimed that Serpa had disclosed this flay publicly before informing the software giant. However, Serpa maintains that this issue has been known about for over four years and, therefore, it was not necessary to disclose it to Microsoft first.
In response, Serpa has also spoken out against Microsoft in a Tweet stream, which he regards as having been dragging their feet on this known security flaw for years.
The flaw was first discovered by Shape Security and described in a paper back in 2017. It has also since featured in many other media, including the August 2021 iteration of the Black Hat conference where it was shown to contribute to ProxyLogon vulnerabilities and attacks featuring Exchange Servers.
However, Serpa and Guardicore seem to be the first who were able to exploit it on a mass scale.
While no patch has been released yet, Microsoft has initiated purchasing all of the autodiscover TLDs that can be used to exploit this security flaw.
However, many in the cybersecurity field may view this as too little too late considering the massive potential impact this vulnerability could have on businesses, governments, and even critical infrastructure.
As Amit Serper puts it in his post:
“The vulnerabilities disclosed by Shape Security were patched, yet, here we are in 2021 with a significantly larger threat landscape, dealing with the exact same problem only with more third-party applications outside of email clients. These applications are exposing their users to the same risks. We have initiated responsible disclosure processes with some of the vendors affected.”
Serpa continued, “if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically syphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs [top-level domains].”
If nothing else, this entire incident shows that businesses cannot be lax and hope for their vendors to promptly patch and address every security issue that affects their software. This is even true of a highly reputable and widely trusted company as Microsoft. Security stakeholders should always be on the lookout for newly discovered potential vulnerabilities and security flaws so that they can proactively try to implement workarounds or monitor for live exploits.