Shulou(Shulou.com)05/31 Report--

This article will explain in detail the example analysis of CVE-2021-26855 and CVE-2021-27065 joint use of getshell domain control. The content of the article is of high quality, so Xiaobian shares it with you as a reference. I hope you have a certain understanding of relevant knowledge after reading this article.

I. Introduction

Exchange Server is a set of e-mail service components of Microsoft Corporation. It is a messaging and collaboration system, which mainly provides collaborative applications including e-mail, meeting scheduling, group scheduling, task management, document management, real-time meeting and workflow.

II. Overview of vulnerabilities

CVE-2021-26855 and CVE-2021-27065 are high-risk vulnerability bulletins issued by Microsoft on March 2, 2021, with a high hazard level. CVE-2021-26855 is an ssrf (server-side request forgery) vulnerability that can be exploited to send arbitrary http requests bypassing authentication. CVE-2021-27065 is an arbitrary file write vulnerability that requires authentication in isolation and is accompanied by a directory crossing vulnerability that allows an attacker to write files to any path on the server. A combination of the two vulnerabilities could bypass permissions directly to getshell.

III. Scope of impact

Microsoft Exchange 2010

Microsoft Exchange 2013

Microsoft Exchange 2016 (cu12 for this environment)

Microsoft Exchange 2019

PS: When searching exp on github, I see an impact range that is said to be Exchange Server 2013 less than CU23 Exchange Server 2016 less than CU18 Exchange Server 2019 less than CU7, so this time the use does not use cu18, interested partners can try.

IV. Environment Building 4.1 Domain Administrator Password Setting

Download Windows Server 2016 and select Desktop Experience to install. Administrator password settings are performed after installation is complete. Exchange installation requires a strong password for the Administrator account.

1) On the dashboard, click Tools menu and select Computer Management submenu

2) Local Users and Groups-> Users

Select Administrator, right-click, and select the Set Password submenu from the pop-up menu.

3) Enter the new password and confirm the password, click OK, you can modify successfully

The new password must meet certain security requirements!

4.2 AD server setup

AD server is too cumbersome to build in this article retelling, provide me in the installation of reference articles.

https://www.jb51.net/article/163510.htm

4.3 exchange installation

I was stuck at this location for nearly 4 hours, and installing exchange requires installing some files in advance.

1)Run the following command in Windows PowerShell to install the required Windows components:

Install-WindowsFeature NET-Framework-45-Features, Server-Media-Foundation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS

2)Install the following software in sequence:

a. .NET Framework 4.8

b. Security update dated December 13, 2016 (KB3206632)

c.Visual C++ Redistributable Package for Visual Studio 2013

d.Microsoft Unified Communications Hosted API 4.0 Core Runtime (64-bit)

The above are prerequisites for Exchange installation. Exchange cannot be installed without installing the above files.

Next, start installing Exchange.

Then install, installation requires a large storage, it is recommended to set the virtual machine to 60G, restart after installation, after successful restart, visit 127.0.0.1/ecp to jump to the login page.

In order to let you see the official can reproduce this vulnerability normally, do not waste too much time in the environment, have uploaded the files that need to be downloaded to Baidu cloud, virtual machine image has also been uploaded, want to build their own environment tycoons can download the files directly. Virtual machine images are installed environments.

The virtual machine image and the files required for environment construction have been uploaded to Baidu Cloud.

Pay attention to public number: red team attack and defense reply forest deer to obtain exchange environmental shooting range.

V. Recurrence of loopholes

https://github.com/mai-lang-chai/Middleware-Vulnerability-detection/blob/master/Exchange/CVE-2021-26855%20Exchange%20RCE/exp.py

exp above, usage: python exp.py-u 192.168.198.141-email Administrator -linlu.com

This exp uses proxy mode by default. Delete the proxy in exp, otherwise you cannot connect to the server.

It is recommended to run exp with cmd, which happens with powershell.

About CVE-2021-26855 and CVE-2021-27065 joint use getshell domain control example analysis shared here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.