root@dafthack:~#‎ > ‎

Bypassing Two-Factor Authentication on OWA and Office365 Portals

posted Nov 7, 2016, 5:52 AM by Beau Bullock
FULL DISCLOSURE: BLACK HILLS INFORMATION SECURITY BELIEVES IN RESPONSIBLE DISCLOSURE OF VULNERABILITIES. THIS VULNERABILITY WAS REPORTED TO MICROSOFT ON SEPTEMBER 28TH, 2016. AS OF THE PUBLICATION DATE OF THIS POST(NOVEMBER 2ND, 2016) MICROSOFT HAVE NOT RESPONDED WITH ANY UPDATES OTHER THAN TO SAY THERE ARE NO UPDATES. THE FULL TIMELINE OF THIS DISCLOSURE CAN BE FOUND IN A SECTION AT THE END OF THE BLOG POST.

UPDATE as of 3pm MST 11/2/16: This blog post demonstrates a two-factor authentication bypass technique against Microsoft Outlook Web Access where the third-party 2FA vendor was DUO Security. It should be stated that this is NOT a vulnerability in DUO Security’s product. It is a problem in which Microsoft Exchange server exposes the Exchange Web Services interface unprotected by 2FA alongside OWA. 

UPDATE as of 11:15am EST on 11/4/16 BHIS has retested the portion of this article detailing a bypass against Office365 Multi-Factor Authentication and it does indeed appear to not work. Some individuals have pointed out that they were getting 401 Unauthorized error messages when connecting in via EWS with MFA fully enabled on a user. When testing against the initial test user BHIS tested against EWS on O365 it now produces the same 401 error results when using a password to authenticate. BHIS believes that the results obtained previously were due to a delay in which Office365 MFA was denying access to Exchange Web Services after recently enabling it for a user. A video demonstrating this has been put together here: https://www.youtube.com/watch?v=Bb_T3ILfllU

Additionally, a very detailed post regarding the various protocols of Exchange has been put together here: http://exchangeserverpro.com/exchange-web-services-bypass-multi-factor-authentication/
_______

ORIGINAL POST: At DerbyCon 6.0 I released a tool called MailSniper for searching mailboxes for sensitive data in a Microsoft Exchange environment. MailSniper utilizes Exchange Web Services (EWS) when connecting to an Exchange server to retrieve messages from a user’s inbox. EWS is a web-based API enabled on Exchange servers that Microsoft recommends customers use when developing client applications that need to interface with Exchange. The API allows for applications to have the ability to interact with email messages, contacts, calendar, and more from user’s mailboxes.

While at DerbyCon I sat in on a talk called “Outlook & Exchange for the Bad Guys” by Nick Landers. It was an awesome talk that I highly recommend checking out. During his talk Nick received a question from the audience in regards to whether two-factor authentication (2FA) would stop the attacks he mentioned during the talk. Nick replied with a statement I found very interesting. He said “I’ve seen some organizations lockdown 2FA on OWA. So when you go to the Outlook Web Access you have to supply a token before you can finish logging in. That wouldn’t stop a lot of these attacks because two-factor auth doesn’t apply to EWS or the NTLM auth on the Autodiscover page.”

...Continue reading on the Black Hills Blog here: http://www.blackhillsinfosec.com/?p=5396
Comments