Shulou(Shulou.com)06/01 Report--

Today, I would like to talk to you about how to carry out the early warning of loopholes in Exchange Server. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

0x00 vulnerability background

This vulnerability is a vulnerability released by MSRC on November 13, 2018, which can achieve privilege escalation on Exchange Server, numbered CVE-2018-8581. According to the description of the vulnerability by MSRC, it is known that after successful exploitation, the attacker can control any user on the Exchange Server. Then ZDI published the technical details of the vulnerability and how to exploit it in a blog post on December 19, 2018, and the effect of the exploit is the same as the description of the vulnerability in MSRC. Recently, some foreign security researchers combined with the attack techniques in the domain to give a new way of use, and made public the technical details and code of the new way of use on their blog. The new way of exploitation of this vulnerability can directly affect the pre-control, and the government has not yet launched the corresponding repair patch, which causes serious harm. 360CERT recommends that users who have used Exchange Server should take appropriate mitigation measures to protect the vulnerability as soon as possible.

0x01 scope of influence

Microsoft Exchange Server 2010

Microsoft Exchange Server 2013

Microsoft Exchange Server 2016

Microsoft Exchange Server 2019

0x02 mitigation measures

MSRC's mitigation measure for this vulnerability is to delete the DisableLoopbackCheck key from the registry to execute the following command in the command prompt window with administrator privileges

Reg delete HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Lsa / v DisableLoopbackCheck / f

The relay attack of LDAP is needed for the new utilization, which can be mitigated by enabling LDAP signature mechanism and LDAP channel binding mechanism. At the same time, the relay attack is from HTTP to LDAP, which can also be mitigated by forcing SMB signature mechanism to be enabled on Exchange Server.

After reading the above, do you have any further understanding of how to carry out the early warning of Exchange Server rights raising vulnerabilities? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.