Give PEAS a chance

Not architecting a network to assume compromise is an all too common danger. Now MWR has uncovered functionality used by Microsoft Exchange that can expose internal files to attack.

The danger of not architecting a network to assume compromise is a popular topic of conversations amongst security professions but one that frequently frustrates in how rarely it is done. The majority of organizations do not have well segmented networks that limit potential breaches, instead focussing on a perimeter and DMZ.

Microsoft Exchange, the widely used enterprise email server, is a tempting target for attackers, as by nature of its function it is accessible from the internet and within organizations. External attackers routinely target Microsoft Exchange in their attempts to access sensitive information assets, stored in emails.

New research by MWR has found that Exchange ActiveSync (EAS), the protocol for synchronising emails, policies and other items between a messaging server and mobile devices, can be used to access Windows file shares and internal SharePoint services on an organization's internal network remotely. All that is required to do so is an employee’s email address and password.

Furthermore, the research confirmed the flaw against both Microsoft Exchange 2013 and 2016 with near-default configurations, despite internal file share access being removed from Outlook Web App in Exchange 2010.

Once an attacker discovers an employee’s login details, through such means as phishing, they can then freely browse and download all files from internal fileshares or SharePoint servers as many organizations are unaware these can be accessed via the internet. For many organizations, the fact that their internal fileshares and Sharepoint servers could be accessed from the internet completely undermines the security model in place.

Fortunately, the threat that the flaw in EAS poses can be neutralised relatively easily – organizations are recommended to disable fileshare access and sharepoint access through EAS and the process is covered in the research released. There do not appear to be any direct risks associated with disabling these functions, though as with all complex systems, there is a possibility that making the changes may prevent legitimate functionality that end users rely on from functioning. Therefore, organizations are recommended to test before deployment to live environments to determine the impact on services.

The ability to download files through EAS appears not to have been a surprise to Microsoft, which informed MWR that the ability to do this was by design. MWR believe that this was legitimate functionality built into Microsoft Outlook over a decade ago, originally so that a user could download files from fileshares through Outlook Web Access (OWA), which is provided by Exchange. However for Microsoft Exchange 2007, Microsoft removed this ability to do it through OWA. A possible conclusion to draw is that Microsoft left the backend code in EAS, which is what MWR’s researchers triggered. The reason for this could simply be that Microsoft tends to be reluctant to change aspects of its systems that may stop something working for a customer.

But while Microsoft’s reluctance to disrupt its customers’ user experience is understandable, it has led to security weaknesses before and is likely to again. Organizations unfortunately may not be aware of what features are present in software they use, let alone what security bugs may be present and as such, lack the ability to protect their architecture adequately.

Effective security requires well designed architectures and advanced attackers regularly target flawed architectures in their attacks on organizations. Organizations need not only to design secure systems as they build them but also to understand their own architectures and where services might be straddling trust boundaries or brokering access to informational assets.

While Exchange has stiff competition in the forms of cloud based services such as Gmail, Yahoo! And Apple Mail, its market share remains strong, with a huge amount of businesses running Exchange-based mailservers as on-premises solutions.

As a service that both straddles internal and external networks as well as directly brokering access to emails, Exchange should be robustly secured. This must involve secure configuration and implementation to prevent abuse of credentials that may have been obtained, as well as ensuring the network is architected so that any compromise of Exchange is contained as far as possible.

To aid security testers and red-teams in their testing, MWR has developed a tool to exploit the issue. Dubbed “PEAS”, the tool allows pen-testers and red teams to use this technique on their operations to browse and retrieve files from internal fileshares. It can also allow a user's mailbox to be downloaded externally, useful when demonstrating the impact of poor controls around Exchange and email access.

MWR offer a number of services that can help organizations manage the risks highlighted by this work including secure architecture design and review, security assurance of components and our managed phishing service Phishd that measures and directly addresses employee susceptibility to phishing.




As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.