There is a simple username enumeration issue in Office365’s ActiveSync, Microsoft do not consider this a vulnerability so Sec-1 do not expect this issue to be fixed. Sec-1 Penetration Tester Oliver Morton has written a script to exploit this which is available here: https://bitbucket.org/grimhacker/office365userenum
What is ActiveSync?
Exchange ActiveSync in Microsoft Exchange Server lets Windows Mobile powered devices and other Exchange ActiveSync enabled devices to access Exchange mailbox data. Compatible mobile devices can access e-mail, calendar, contact, and task data in addition to documents stored on Windows SharePoint Services sites and Windows file shares. Information synchronized with the mobile devices is retained and can be accessed offline. [https://technet.microsoft.com/en-us/library/aa995986(v=exchg.65).aspx]
What is username enumeration?
Username enumeration is when an attacker can determine valid users in a system.
When the system reveals a username exists either due to misconfiguration or a design decision a username enumeration issue exists.
This is often identified in authentication interfaces, registration forms, and forgotten password functionality.
The information disclosed by the system can be used to determines a list of users which can then be used in further attacks such as a bruteforce – since the username is known to be correct, only the password needs to be guessed, greatly increasing the chances of successfully compromising an account.
During the assessment of a 3rd party product which utilises ActiveSync, it was noted that the there was a clear response difference between a valid and invalid usernames submitted in the HTTP Basic Authentication Header.
Further investigation revealed that the issue was in fact in Office365 rather than the 3rd party product which was simply acting as a proxy. The domain for Office365’s ActiveSync service is trivial to identify if you have a mobile device configured to use Office365 for email (email app server settings): https://outlook.office365.com
In order to elicit a response from ActiveSync a number of parameters and headers are required, this is described in more detail here: http://mobilitydojo.net/2010/03/17/digging-into-the-exchange-activesync-protocol/
The username enumeration issue exists in the differing response to invalid vs valid usernames submitted in the Authorization header. This request header value consists of the username and password concatenated with a colon (:) separator and Base64 encoded.
The request below contains the following Base64 encoded credentials in the Authorization header: email@example.com:Password1
OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
Authorization: Basic dmFsaWRfdXNlckBjb250b3NvLmNvbTpQYXNzd29yZDE=
This elicits the following response (“401 Unauthorized”) indicating that the username is valid but the password is not:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic Realm="",Negotiate,Basic Realm=""
WWW-Authenticate: Basic Realm=""
Date: Wed, 14 Jun 2017 14:35:14 GMT
The request below contains the following Base64 encoded credentials in the Authorization header: firstname.lastname@example.org:Password1
OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
Authorization: Basic aW52YWxpZF91c2VyQGNvbnRvc28uY29tOlBhc3N3b3JkMQ==
This elicits the following response (“404 Not Found” and “X-CasErrorCode: UserNotFound”) indicating that the username is invalid:
HTTP/1.1 404 Not Found
Date: Wed, 28 Jun 2017 11:23:03 GMT
By iterating through a list of potential usernames and observing the response, it is possible to enumerate a list of valid users which can then be targeted for further attacks. These attacks may be directly against the authentication, i.e attempting to guess the user’s password to compromise their account, or it may be as part of a social engineering attack e.g sending Phishing emails to known valid users.
It should be noted that this issues requires an authentication attempt and is therefore likely to appear in logs, and has a risk of locking out accounts. However it is also possible that a valid username and password combination will be identified, in which case the response is different depending on if 2FA is enabled or not.
If 2FA is enabled the response is (“403 Forbidden” with title “403 – Forbidden: Access is denied.”):
HTTP/1.1 403 Forbidden
Date: Fri, 07 Jul 2017 13:11:22 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
If 2FA is NOT enabled the response is (“200 OK”):
HTTP/1.1 200 OK
Date: Mon, 24 Jul 2017 09:50:22 GMT
It should be noted that only users with a valid mailbox are considered to be valid users in this context, therefore a domain account may exist which this enumeration would identify as invalid.
A brief check was conducted to determine if this issue affected Microsoft Exchange, or if it was limited to Office365. It was found that only Office365 was affected. This issue was reported this issue to Microsoft, however they do not consider username enumeration to “meet the bar for security servicing”, so Sec-1 do not expect this issue will be fixed.
My continuing mission to replace myself with a small script
In order to automate exploitation of this issue Oliver wrote a simple multi threaded python script. It is available here: https://bitbucket.org/grimhacker/office365userenum
When provided a list of potential usernames(username@domain) this script will attempt to authenticate to ActiveSync with the password ‘Password1’. Valid and invalid usernames are logged along with valid username and password combinations (in case you get lucky).
28 June 2017, 13:30: Emailed email@example.com with a PGP encrypted PDF explaining issue with example HTTP requests and responses.
28 June 2017, 22:39: Response from Microsoft (note only relevant section of email included below)
“Thank you for contacting the Microsoft Security Response Center (MSRC). Upon investigation we have determined that these do not meet the bar for security servicing. In general, username enumeration does not meet the bar as there are many ways to do this and on its own it does not allow an attacker access or control in any way, as the attacker would still need to bypass login.”
29 June 2017, 09:54: Emailed Microsoft stating intention to disclose in a blog post unless they had any serious objections.
24 July 2017: Details and tool disclosed to the public.