diff --git a/Security/BackendCookieMitigation.ps1 b/Security/BackendCookieMitigation.ps1 new file mode 100644 index 0000000000..c7fd1471d3 --- /dev/null +++ b/Security/BackendCookieMitigation.ps1 @@ -0,0 +1,118 @@ +<# + BackendCookieMitigation.ps1 + + Description: + This mitigation will filter https requests that contain malicious X-AnonResource-Backend and malformed X-BEResource cookies which were found to be used in the SSRF attacks in the wild. + This will help with defense against the known patterns observed but not the SSRF as a whole. + + Note: + The IIS ReWrite rules will be removed after Exchange is upgraded and the mitigation will need to be reapplied. + + Impact: + No known impact to Exchange functionality, however, limited testing has been performed + + Requirements: + URL Rewrite : The Official Microsoft IIS Site MSI (https://www.iis.net/downloads/microsoft/url-rewrite) + + + Examples: + + To apply with MSI install via PowerShell: + . \BackendCookieMitigation.ps1 -FullPathToMSI “" -WebSiteNames "Default Web Site" -Verbose + + To apply without MSI install via PowerShell: + .\BackendCookieMitigation.ps1 -WebSiteNames "Default Web Site" -Verbose + + To rollback: + .\BackendCookieMitigation.ps1 -WebSiteNames "Default Web Site" -RollbackMitigation -Verbose +#> + +[CmdLetBinding()] +param( + [System.IO.FileInfo]$FullPathToMSI, + [ValidateNotNullOrEmpty()] + [string[]]$WebSiteNames, + [switch]$RollbackMitigation +) + +#Configure Rewrite Rule consts +$HttpCookieInput = '{HTTP_COOKIE}' +$root = 'system.webServer/rewrite/rules' +$inbound = '.*' +$name = 'X-AnonResource-Backend Abort - inbound' +$name2 = 'X-BEResource Abort - inbound' +$pattern = '(.*)X-AnonResource-Backend(.*)' +$pattern2 = '(.*)X-BEResource=(.+)/(.+)~(.+)' +$filter = "{0}/rule[@name='{1}']" -f $root, $name +$filter2 = "{0}/rule[@name='{1}']" -f $root, $name2 + +if (!$RollbackMitigation) { + Write-Verbose "[INFO] Starting mitigation process on $env:computername" + + #Check if IIS URL Rewrite Module 2 is installed + Write-Verbose "[INFO] Checking for IIS URL Rewrite Module 2 on $env:computername" + $IISRewriteQuery = (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BCA2118-F753-4A1E-BCF3-5A820729965C}' -ErrorAction SilentlyContinue).DisplayName + + $RewriteModuleInstallLog = ($FullPathToMSI.Directory.FullName + '\' + 'RewriteModuleInstallLog.log') + + #Install module + if ($null -ne $IISRewriteQuery) { + Write-Verbose "[INFO] IIS URL Rewrite Module 2 already installed on $env:computername" + } else { + if ($FullPathToMSI) { + Write-Verbose "[INFO] Installing IIS URL Rewrite Module 2" + Start-Process -FilePath 'C:\Windows\System32\msiexec.exe' -ArgumentList "/i $($FullPathToMSI.Fullname) /quiet /log $RewriteModuleInstallLog" -Wait + Start-Sleep -Seconds 15 + + $IISRewriteQuery = (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BCA2118-F753-4A1E-BCF3-5A820729965C}' -ErrorAction SilentlyContinue).DisplayName + + if ($null -ne $IISRewriteQuery) { + Write-Verbose "[OK] IIS URL Rewrite Module 2 installed on $env:computername" + } else { + + throw "[ERROR] Issue installing IIS URL Rewrite Module 2, please review $($RewriteModuleInstallLog)" + } + } else { + throw "[ERROR] Unable to proceed on $env:computername, path to IIS URL Rewrite Module MSI not provided and module is not installed." + } + } + + foreach ($website in $WebSiteNames) { + Write-Verbose "[INFO] Applying rewrite rule configuration to $env:COMPUTERNAME :: $website" + + $site = "IIS:\Sites\$($website)" + + try { + Add-WebConfigurationProperty -PSPath $site -filter $root -name '.' -value @{name = $name; patterSyntax = 'Regular Expressions'; stopProcessing = 'False' } + Set-WebConfigurationProperty -PSPath $site -filter "$filter/match" -name 'url' -value $inbound + Set-WebConfigurationProperty -PSPath $site -filter "$filter/conditions" -name '.' -value @{input = $HttpCookieInput; matchType = '0'; pattern = $pattern; ignoreCase = 'True'; negate = 'False' } + Set-WebConfigurationProperty -PSPath $site -filter "$filter/action" -name 'type' -value 'AbortRequest' + + Add-WebConfigurationProperty -PSPath $site -filter $root -name '.' -value @{name = $name2; patternSyntax = 'Regular Expressions'; stopProcessing = 'True' } + Set-WebConfigurationProperty -PSPath $site -filter "$filter2/match" -name 'url' -value $inbound + Set-WebConfigurationProperty -PSPath $site -filter "$filter2/conditions" -name '.' -value @{input = $HttpCookieInput; matchType = '0'; pattern = $pattern2; ignoreCase = 'True'; negate = 'False' } + Set-WebConfigurationProperty -PSPath $site -filter "$filter2/action" -name 'type' -value 'AbortRequest' + + Write-Verbose "[OK] Rewrite rule configuration complete for $env:COMPUTERNAME :: $website" + Get-WebConfiguration -Filter $filter -PSPath $site + Get-WebConfiguration -Filter $filter2 -PSPath $site + } catch { + throw $_ + } + } +} else { + Write-Verbose "[INFO] Starting mitigation rollback process on $env:computername" + foreach ($website in $WebSiteNames) { + + $site = "IIS:\Sites\$($website)" + + $MitigationConfig = Get-WebConfiguration -Filter $filter -PSPath $site + if ($MitigationConfig) { + Clear-WebConfiguration -Filter $filter -PSPath $site + Clear-WebConfiguration -Filter $filter2 -PSPath $site + Write-Verbose "[OK] Rewrite rule mitigation removed for $env:COMPUTERNAME :: $website" + } else { + Write-Verbose "[INFO] Rewrite rule mitigation does not exist for $env:COMPUTERNAME :: $website" + } + } +} diff --git a/Security/README.md b/Security/README.md index e2084eed28..b414101be7 100644 --- a/Security/README.md +++ b/Security/README.md @@ -1,7 +1,17 @@ # Security scripts -## Test-Hafnium.ps1 +## BackendCookieMitigation.ps1 -This script automates all four of the commands found in the [Hafnium blog post](https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/). It also has a progress bar and some performance tweaks to make the CVE-2021-26855 test run much faster. Download the latest release here: +This mitigation will filter https requests that contain malicious X-AnonResource-Backend and malformed X-BEResource cookies which were found to be used in the SSRF attacks in the wild. +This will help with defense against the known patterns observed but not the SSRF as a whole. For more information, see the comments at the top of the script. -https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-Hafnium.ps1 +Download the latest release here: + +[Download BackendCookieMitigation.ps1](https://github.com/microsoft/CSS-Exchange/releases/latest/download/BackendCookieMitigation.ps1) +## Test-ProxyLogon.ps1 + +Formerly known as Test-Hafnium, this script automates all four of the commands found in the [Hafnium blog post](https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/). It also has a progress bar and some performance tweaks to make the CVE-2021-26855 test run much faster. Download the latest release here: + +Download the latest release here: + +[Download Test-ProxyLogon.ps1](https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-ProxyLogon.ps1) diff --git a/Security/Test-Hafnium.ps1 b/Security/Test-ProxyLogon.ps1 similarity index 100% rename from Security/Test-Hafnium.ps1 rename to Security/Test-ProxyLogon.ps1