Attacker Value
Very High
(2 users assessed)
Exploitability
High
(2 users assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Local
1

CVE-2021-27065

Disclosure Date: March 03, 2021
CVE-2021-27065 CVSS v3 Base Score: 7.8
Exploited in the Wild
Reported by ccondon-r7 and 1 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

Add Assessment

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Common in enterpriseEasy to weaponizeGives privileged accessVulnerable in default configurationAuthenticatedRequires elevated access
Technical Analysis

When used with CVE-2021-26855, an unauthenticated SSRF, CVE-2021-27065 yields unauthed, SYSTEM-level RCE against a vulnerable Exchange Server. On its own, exploiting this vulnerability requires access to the EAC/ECP interface, which is a privileged and authenticated web interface.

I was able to identify the relevant endpoints a few days ago using a combination of patch analysis and manual testing, and I successfully wrote an arbitrary file (sans SSRF) to the target’s filesystem (UNC path). Ironically, I was looking at the virtual directory settings for EWS, but “OAB” caught my eye due to its published IOCs. (OAB is Microsoft’s implementation of offline address books in Exchange.)

Writing an ASPX shell is the easiest way to achieve RCE using CVE-2021-27065, so make sure to look for filesystem IOCs. These IOCs are well-documented by Microsoft and other entities. Bear in mind that attackers will try to use clever or randomized filenames to evade detection.

Log in to Add Reply
2
Ratings
Common in enterpriseEasy to weaponizeGives privileged accessUnauthenticatedVulnerable in default configuration
Technical Analysis

This is a post-authentication arbitrary file write vulnerability that has been actively exploited. Now, an exploit module has been added to Metasploit, which leverages both the Server-Side Request Forgery vulnerability identified as CVE-2021-26855 and this arbitrary file write vulnerability. The SSRF is mainly used to retrieve internal information such as the user SID, session ID, canary value, etc. It also allows bypassing authentication to exploit CVE-2021-27065 and creates a custom .aspx web page that embeds a web shell. Once this backdoor is planted, the module uses it to stage the actual payload and execute it.

Note that, for this exploit to work, two Exchange Servers are needed. One is the host the module directly sends requests to and the other server is the internal resource the SSRF targets. The Exchange Admin Center (EAC) web interface, usually located at https://<ServerFQDN>/ecp, needs to be accessible on at least one server. Also, the email address of an Administrator on the Exchange server needs to be provided to the module. It is not really something difficult to obtain, as long as you know the name of an admin and the email pattern used internally.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Microsoft Exchange Server 2019 publication
Microsoft Exchange Server 2013 Cumulative Update 22 publication
Microsoft Exchange Server 2019 Cumulative Update 2 publication
Microsoft Exchange Server 2016 Cumulative Update 13 publication
Microsoft Exchange Server 2013 Cumulative Update 23 publication
Microsoft Exchange Server 2019 Cumulative Update 3 publication
Microsoft Exchange Server 2016 Cumulative Update 14 publication
Microsoft Exchange Server 2019 Cumulative Update 4 publication
Microsoft Exchange Server 2016 Cumulative Update 15 publication
Microsoft Exchange Server 2019 Cumulative Update 5 publication
Microsoft Exchange Server 2019 Cumulative Update 6 publication
Microsoft Exchange Server 2016 Cumulative Update 16 publication
Microsoft Exchange Server 2016 Cumulative Update 17 publication
Microsoft Exchange Server 2019 Cumulative Update 7 publication
Microsoft Exchange Server 2016 Cumulative Update 18 publication
Microsoft Exchange Server 2016 Cumulative Update 19 publication
Microsoft Exchange Server 2019 Cumulative Update 8 publication
Microsoft Exchange Server 2013 Service Pack 1 publication
Microsoft Exchange Server 2013 Cumulative Update 21 publication
Microsoft Exchange Server 2016 Cumulative Update 12 publication
Microsoft Exchange Server 2016 Cumulative Update 8 publication
Microsoft Exchange Server 2019 Cumulative Update 1 publication
Microsoft Exchange Server 2016 Cumulative Update 9 publication
Microsoft Exchange Server 2016 Cumulative Update 10 publication
Microsoft Exchange Server 2016 Cumulative Update 11 publication
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microsoft

Products

  • exchange server 2013,
  • exchange server 2016,
  • exchange server 2019

Exploited in the Wild

Reported by:

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis