back to article Microsoft Exchange Autodiscover protocol found leaking hundreds of thousands of credentials

A flaw in Microsoft's Autodiscover protocol, used to configure Exchange clients like Outlook, can cause user credentials to leak to miscreants in certain circumstances. The upshot is that your Exchange-connected email client may give away your username and password to a stranger, if the flaw is successfully exploited. In a …

  1. Anonymous Coward
    Anonymous Coward

    "With that being said, I can’t imagine why Microsoft wouldn’t address such issues."

    Because they don't actually know what they're doing.

    1. J. Cook Silver badge
      Alien

      I'll offer up that the team that originally implemented it either: a) didn't know what they were doing at the time; b) made bad assumptions based on how the internet was designed at the time; or c) knew about the issue, tried valiantly to put in a proper fix that wouldn't overly break things, was overruled by manglement in favor of getting the product shipped, and left in disgust shortly thereafter with the junior varsity team to try and untangle their code.

      My personal opinion is that it's a combination of all three.

      1. J. Cook Silver badge
        Boffin

        Also, I don't think it's Exchange Server, but the implementation for Autodiscover on the client side that has the issue. If anything, I don't think the original authors of the protocol dreamed it would be implemented over the internet. Also, the internet was a slightly more trust-worthy place back then. Slightly.

        1. katrinab Silver badge
          Meh

          Yes, it is Outlook, or Apple Mail, or whatever the Android equivalent is called, trying to make contact the Exchange Server, and failing. Therefore there is nothing you can do server-side to stop this, except maybe making sure that you actually have autodiscover set up on the server.

          1. Anonymous Coward
            Anonymous Coward

            Yep, nothing to do with an organisation's Exchange setup at all. The client works through the predefined list of connection addresses/methods to try until it gets a response and there's no way to change that from the server (since the client hasn't yet reached the server!). If for instance you're using the SRV record method for autodiscover you can't magically make that the first thing that is tried from the server. You can edit the registry on each machine to adjust which methods are used, but that's nothing to do with Exchange.

        2. Pirate Dave Silver badge
          Pirate

          I think you're giving them too much credit. MS has known their software is security swiss-cheese since the mid 1990's, before Exchange and Outlook were even much of a thing. So they've had at least 20 years to figure out that "the Internet is Bad" and code accordingly. But they haven't learned that lesson yet, in spite of the thousands of vulnerabilities discovered in their various softwares. I mean if this was a vulnerability in a version of Outlook released in 2000, yeah, maybe I could let them slide. But this bugaboo exists in even their most recent version. Hard to cut them any slack for that.

          1. vtcodger Silver badge

            "MS has known their software is security swiss-cheese since the mid 1990's"

            My memory isn't all that great. But I'm 99% sure that MS told us all in the late 1990s that NT based Windows would fix all those problems just as soon as they got it perfected. You suggesting that they lied to us?

            1. Allan George Dyer
              Paris Hilton

              I think they said it was the most secure Windows they'd ever released, which was true. And they said the same for XP, and that was true too...

              I think they intend to continue making quantum leaps in security with every release.

              1. Loyal Commenter

                Is that "quantum leaps" as in the tiniest measurable transitions? Like the amount of energy released in the single photon when a hydrogen atom drops from an excited state back to the base state (about 3e-19 J).

              2. MachDiamond Silver badge

                "I think they intend to continue making quantum leaps in security with every release."

                A "quantum leap" being the distance between two electron orbits around an atomic nucleus.

        3. MachDiamond Silver badge

          "but the implementation for Autodiscover on the client side that has the issue."

          So are you saying that something that's being done on the client side is creating the security issue? That's a huge problem as it's no different than any attack from anything/anybody else.

      2. Anonymous Coward Silver badge
        Facepalm

        The earlier version of autodiscover didn't require the credentials be transmitted, so was actually a pretty reasonable system.

        They've implemented this poxy version in the last 10 years or so, which means that they should've been fully aware of what the internet was like.

    2. Anonymous Coward
      Anonymous Coward

      They will say its not a problem if you let them host it by using office 365 and not have anything on prem providing them a constant stream of money. They will not fix it because of that 1 reason.

      1. Nick Ryan Silver badge

        It's even more nefarious than that... if you have your primary domain hosted on something other than on Microsoft's servers then where do the auto discover requests go to?

        For example, theregister.com - not hosted on Azure/Microsoft 365

        Microsoft Outlook running for an @theregister.com email address will request (require) configuration from autodiscover.theregister.com, theregister.com/autodiscover/<blah> and so on.

        While it's possible to configure DNS such that autodiscover.theregister.com refers to a Microsoft Exchange server, it's not convenient and is beyond most organisations.

        The whole crappy process was invented when Microsoft was still stupidly instructing* admins to set up the dumb ".local" domain names, and that says it all really.

        * Microsoft have since edited history to make it appear that they said something quite different.

        1. katrinab Silver badge
          Meh

          Even if it is on Office365, the email client still has to discover that. Outlook I believe looks there first, but that may not be the case for other clients.

        2. Cliffwilliams44 Bronze badge

          "Microsoft Outlook running for an @theregister.com email address will request (require) configuration from autodiscover.theregister.com, theregister.com/autodiscover/<blah> and so on.

          While it's possible to configure DNS such that autodiscover.theregister.com refers to a Microsoft Exchange server, it's not convenient and is beyond most organisations."

          Umm, well that's the way you do it. If the staff of said company are not competent enough to do this then they should hire some one who is.

          It has been like this for a very long time.

          1. Nick Ryan Silver badge

            Yes, there's how to do it and then there's how it's done. Often different. Even more of a mess in a hybrid environment, particularly a hybrid older environment.

            It could have been done in a simple, transparent and wholly documented manner... unfortunately this was Microsoft and it was created at a time when they were still intentionally screwing with and obfuscating their own file formats to ensure that competing software couldn't use them.

  2. Anonymous Coward
    Anonymous Coward

    Exchange is seriously flawed

    In some situations, such as when you've hardened the server because of, I don't know, Hafnium attacks, you have to enable basic auth. There is even a setting for it buried deep in the windows proxy extensions. I think the idea is to force everyone on to a domain and thence to Azure and then all your e-mail are belong Satya.

    There are other, simpler and more reliable ways of doing the initial handshake but they use open protocols…

  3. Anonymous South African Coward Silver badge

    Yippi yaddi yey for more Microsofty goodness...

  4. Diogenes8080

    The obvious

    So how about a list of relevant Autodiscover domains that don't belong to Guardicore, and some idea of who owns them?

    This is one exploit that should be relatively easy to trace. At the very least it might shine some light on the practices of the domain registration industry.

  5. Scott 26

    It's the WPAD flaw all over again.....

  6. mevets

    Design blunder...

    You had me at Exchange, or even microsoft....

    In honour of the recent sequel to The Shining, they should rename the whole mess *LookOut*.

  7. Anonymous Coward
    Anonymous Coward

    Their hosts file contains wildcards

    Someone with a GitHub or Twitter account should tell them wildcards are not supported in the standard hosts file format - it's a very basic format.

    1. seven of five

      Re: Their hosts file contains wildcards

      They would not understand.

  8. Denarius Silver badge
    Coat

    almost enuf

    to remember sendmail config with less loathing. Perhaps instead of "user friendly" or error tolerant programmers could revert to GOTO ERROR-EXIT. Making everything idiot proof seems to be just helping companies sell more junk software. Mines the one with Line Noise for Beginners in the pocket

    1. Anonymous Coward
      Anonymous Coward

      Re: almost enuf

      I think when it comes to the trauma inflicted by manually editing sendmail.cf before the m4 processor, sendmail.cf still has the edge.

      That said, you must be a masochist or a consultant milking it for money to recommend Exchange as a reliable email facility - it is anything but.

  9. phands

    Why the hell does anyone use M$ for anything????

    1. IGotOut Silver badge

      Because they have work to do?

    2. Loyal Commenter

      Because everyone else is just as bad, and people have generally standardised on one OS for most office based work?

    3. Anonymous South African Coward Silver badge
      Trollface

      It was a long game played by cryptolockers - to make sure world+dog would be so reliant on microslop for anything, then they'll slip their crypto code into your system and make lots of bitcoin out of you.

      1. Peter2 Silver badge

        Cryptolockers only work in a windows configuration that is identical to *nix admins running everything as root. Windows doesn't have to be run this way; the tools to change this are available free of charge out of the box. The problem is simply that people don't bother to use them.

        If people can't be assed to figure out how to secure a windows installation then I suspect you'd find that if Microsoft went out of business then the same people wouldn't bother to figure out how to secure a *nix installation either, and the problem would just move between vendors with the users.

        1. Loyal Commenter

          Well, "yes and no". A cryptolocker requires root access to encrypt things. It doesn't necessarily follow that it needs a user logged in with admin permissions. I'm sure there are plenty of 0-day privilege escalation exploits out there. Like, for instance, that recent one where you plugged in a Razer mouse and the installer got hijacked.

          Escalation exploits don't only exist in Windows systems, for example, that SUDO flaw in *nix that was reported earlier this year.

          1. Peter2 Silver badge

            A cryptolocker does require that the user be willing to allow any piece of arbitrary code to run on their machine.

            If you set a software restriction/applocker policy to only allow programs installed in %program files% to run for normal user accounts then immediately users become incapable of being able to run any form of trojan. And the baseline requirement for the cyber essentials minimum standard is that you approve executables by an MD5 hash, not just by path.

            1. Loyal Commenter

              ...and of course, nothing running in %program files% would ever have an escalation or execution flaw in it. And browsers can't run arbitrary code. And nothing outside such a walled garden would ever need to execute. And everything inside it is perfectly trusted...

    4. Anonymous Coward
      Anonymous Coward

      Because they have managers who are sufficiently unaware of tech consequences to be deluded by glossy magazines and expensive lunches. In addition, keeping it actually alive is not their problem, it's yours.

      And thus, the perfect storm, and a company that has remained in business despite delivering code that would not pass the most basic security check if it were ever publicaly audited (at least, that's what the never ending stream of patches suggest).

      You must give them this, though, what their devs lack in talent, their sales and marketing people more than make up for it. It's not called S&M for nothing..

      /s

  10. J__M__M

    Because this issue can be mitigated by proper configuration

    Great, now if you don't mind sharing how I'm supposed to properly configure the entire internet I'll be good to go.

    1. Cliffwilliams44 Bronze badge

      Re: Because this issue can be mitigated by proper configuration

      No, you properly configure your DNS records for AutoDiscovery. Any Exchange Administrator who has worked with Exchange any time in the last 15 years should know this.The problem is so may do not.

      When I was a consultant fixing AutoDiscover was one of the most often things done when contracted to work on Exchange.

  11. mikerobinson

    Keep it in DNS

    I've always thought that the use of the SRV record for identifying your Exchange server should be the FIRST autodiscover check made. Unfortunately there are a lot of ActiveSync clients that seem to be incapable of trying this route.

  12. wolfetone Silver badge

    Does this affect Office 365 implementations does anyone know?

    1. babydave

      I would assume it would if the domain has not been setup with Autodiscover records correctly. Think of any office 365 tenant that has been setup by web design or marketing agencies - these guys rarely understand the importance of correct MX records never mind anything else.

    2. TiredNConfused80

      Probably would if you havn't got the autodiscover domains set up correctly in the DNS records of whoever you get your (external) domain from and in your internal DNS. I would have thought you'd know about that though as nothing would work...

      1. Nick Ryan Silver badge

        There's a difference between "currently working" and "working properly". I suspect that most tenancies are configured to be "currently working" but with lots of dangerous configuration left lying around which will catch them out at some point.

  13. Ken Moorhouse Silver badge

    POX XML

    There's a Big Clue - right there - yes, in the first three letters...

    1. herman Silver badge

      Re: POX XML

      The problem is DNS. It is always DNS.

      1. Anonymous Coward
        Anonymous Coward

        Re: POX XML

        Unless it's expired SSL certs. This is MS, so not out of the question.

  14. Anonymous Coward
    Anonymous Coward

    The whole autodiscover via DNS/HTTP setup was always broken and a sign of a company that neither understood the Internet nor cared about it. The assumption was everyone would use Outlook with Exchange, and therefore spamming anyone who didn't with irrelevant requests was acceptable.

    Whoever designed and implemented it should be taken out and shot. Twice.

    1. Anonymous Coward Silver badge
      Boffin

      A few requests that return 404 is fine. If your servers are loaded so heavily that they can't handle that, they'll struggle anyway.

      It's not any significant load beyond the NODOMAIN response from a DNS query.

      What would be better would be an option to attempt autodiscovery or not - that would've saved me a lot of time over the years waiting for it to try the various methods before allowing me to enter the correct details manually.

      1. Spiz

        Not ideal but you could Group Policy this:

        https://knowledgebase.cobweb.com/help/outlook-autodiscover-registry-fix

      2. Anonymous Coward
        Anonymous Coward

        No multiply that by thousands of clients, all making multiple requests. Every request going into a log file.

        All completely unnecessary.

        It's not about server load, it's about being a good citizen. Something Microsoft have struggled to be.

  15. Loyal Commenter

    I always wondered...

    ...what the rather opaque "autodiscover" was doing when used in code to connect to an Exchange mailbox.

    Now that I know, I have to say, I'm not very impressed at how shoddily it has been designed. Both with the "failing upward" to attempt to authenticate against a fixed TLD (I mean, just WHY?), and to being designed so that the initial connection attempt contains credentials...

    I suppose I shouldn't be that surprised, given that the "protocol" if you can call it that, came about from the people who wrote MS Exchange.

    1. herman Silver badge

      Re: I always wondered...

      Sadly, MS Exchange was written by The Open Group - the owners of the UNIX trademark.

    2. Cliffwilliams44 Bronze badge

      Re: I always wondered...

      At one time the credentials were added AFTER auto discover return the endpoint URLs. The some twit figured it was a good idea ti ask for them BEFORE and send them in the request.

  16. Anonymous South African Coward Silver badge

    Speaking of which, how does Thunderbird handle its autodiscover?

    I have to assume that it is more robust and secure, and that it'll look for the @domain.com part first, then try to authenticate with user@domain.com, and ask you for the password...

  17. Marco van Beek

    Not new. I found the basic issue 7 years ago almost to the day.

    Microsoft told me it wasn't their problem:

    https://www.theregister.com/2016/09/19/ms_exchange_alleged_bug/

    1. 42656e4d203239 Bronze badge
      Pint

      Re: Not new. I found the basic issue 7 years ago almost to the day.

      Icon says it all.... to drown your sorrows?

    2. Ken Moorhouse Silver badge

      Re: Microsoft told me it wasn't their problem:

      Marco van Beek:-

      Will the Bug Bounty payout be made to you with 7 years compound interest added?

  18. martyn.hare
    WTF?

    This was found and fixed in Office 2013 years ago

    With a correct Exchange configuration at the time of configuring the client, Outlook won't fall back on legacy authentication or even try the old autodiscover mechanisms responsible for the vulnerability. It's only if the system was configured prior to the introduction of newer mechanisms that the vulnerability exists and even then, to mitigate it, you can enable Security Defaults, forcing folks to set up fresh profiles which reject old mechanisms regardless.

    This is like pointing out that Windows has gaping security holes in VPN functionality because the system supports PPTP.

    It's all by design.to keep older systems working, even if it's less secure to do so.

    1. Anonymous Coward
      Anonymous Coward

      Re: This was found and fixed in Office 2013 years ago

      But the rub is, all these guys did was just register some domain names and setup a webserver, and suddenly scores of random clients started flinging (nearly) clear-text passwords at them. The world-at-large is apparently teeming with MS clients who just can't wait to send credentials to unknown and unverified servers that happen to match a name pattern. That's the bad part.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like