Exchange chain CVE-2021-26855 and CVE-2021-27065 walkthrough.

In recent days, Exchange has been exposed to several critical exploits explored in the wild. CVE-2021-26855 and CVE-2021-27065 are the two flaws involved in this critical scenario.

CVE-2021-26855 is an SSRF vulnerability. The problem occurs when proxying client requests to the server. This vulnerability can obtain the user’s sid, which is the most important first step in a non-interactive attack chain.

CVE-2021-27065 is a file writing vulnerability. Although the content to be written cannot be completely controlled, the file name and path can be set arbitrarily. When we create a file with the suffix of .aspx and insert a word Trojan into the file, remote control can be achieved.

 

 

According to ESET, several threat groups have used these 0day exploits to attack organizations around the world. The identified threat groups and behavior clusters are:

Tick: compromised the web server of a company based in East Asia that provides IT services. As in the case of LuckyMouse and Calypso, the group likely had access to an exploit prior to the release of the patches.

LuckyMouse: compromised the email server of a governmental entity in the Middle East. This APT group likely had an exploit at least one day before the patches were released, when it was still a zero-day.

Calypso: compromised the email servers of governmental entities in the Middle East and in South America. The group likely had access to the exploit as a zero day. In the following days, Calypso operators targeted additional servers of governmental entities and private companies in Africa, Asia and Europe.

Websiic: targeted seven email servers belonging to private companies (in the domains of IT, telecommunications and engineering) in Asia and a governmental body in Eastern Europe. ESET named this new cluster of activity as Websiic.

Winnti Group: compromised the email servers of an oil company and a construction equipment company in Asia. The group likely had access to an exploit prior to the release of the patches.

Tonto Team: compromised the email servers of a procurement company and of a consulting company specialized in software development and cybersecurity, both based in Eastern Europe.

ShadowPad activity: compromised the email servers of a software development company based in Asia and a real estate company based in the Middle East. ESET detected a variant of the ShadowPad backdoor dropped by an unknown group.

The “Opera” Cobalt Strike: targeted around 650 servers, mostly in the US, Germany, the UK and other European countries just a few hours after the patches were released.

IIS backdoors: ESET observed IIS backdoors installed via webshells used in these compromises on four email servers located in Asia and South America. One of the backdoors is publicly known as Owlproxy.

Mikroceen: compromised the exchange server of a utility company in Central Asia, which is the region this group typically targets.

DLTMiner: ESET detected the deployment of PowerShell downloaders on multiple email servers that were previously targeted using the Exchange vulnerabilities. The network infrastructure used in this attack is linked to a previously reported coin-mining campaign.

The timeline of important events can be observed below (source).

 

 

CVE-2021-26855

This SSRF is one of the most important vulnerabilities in Exchange in the past years. This flaw compared to the last RCEs, can be explored without authentication (not requiring user privileges) and provides opportunities for massive attacks.

Looking at ZoomEye or Shodan platform, obtaining potentially vulnerable Exchange servers is possible using basic dorks.

The following image reveals some exchange servers obtained from Shodan using the next dork:

-- massive scan--
https://www.shodan.io/search?query=Microsoft+Exchange+Server

-- by country--
https://www.shodan.io/search?query="Microsoft+Exchange+Server"+++country:pt

 

 

From the ShadowServer survey, we can find that many exchange servers are vulnerable around the globe as well, including the USA with 17.4K vulnerable servers, Germany 7.7k, UK 4k, and Portugal 348.

 

Digging into the details, the entry point to exploit this flaw takes the form of /ecp/target.js not existent file. The flaw is triggered with just a request to a file never existed on the server-side, and then the SSRF is invoked and the full payload requests the backend server.

Next imagem shows the HTTP-POST requests used to exploit the SSRF.

 

Two key points important to note here are the URL and the X-BERsource cookie.

POST /ecp/target.js HTTP/1.1
Cookie: X-BEResource=name] @WIN-PDEIT81MJNQ.server.cd:444/autodiscover/autodiscover.xml?#-1941962753

 

In order to understand how the request is handled by the exchange server, we can conclude that the target.js is not a physical file but a virtual path.

By analyzing the Exchange Server 2016 patch from December 2020, we can observe a lot of DLL inside the KB4593465.

 

After unarchiving the DLL files inside the KB, we can find and analyze some DLLs, including the Microsoft.Exchange.FrontEndHttpProxy and the call BEResourceRequestHandler that is the class that will be used to handle resource requests.

 

The function OnPostAuthorizeRequest() function of ProxyModule must be highlighted. From the name, this function is used to verify the security of the post request. This function calls the ProxyModule.OnPostAuthorizeInternal() function.

 

By analyzing this DLL, we can find that when the ProtocolType is Ecp, multiple comparisons are made. In addition, Cookies must have an X-BEResource field, and the request path must end with .axc or .css or .js or some other suffix. Only when these two conditions are met, BEResourceRequestHandler will be selected as the request Handler.

The Handler will be set to the context.RemapHandlerInstance property, and finally assigned to the context.Handler.

 

Then the Handler.BeginProcessRequest() function will be called to further process the request. Because BEResourceRequestHandler inherits from ProxyRequestHandler, the ProxyRequestHandler.BeginProcessRequest() function is finally called.

 

The role of the ProxyRequestHandler class should be to forward the Http request directed to FrontEnd to BackEnd with some additional validations.

 

CVE-2021-27065

To exploit this vulnerability, an attacker will first need an Admin mail exchange account, then edit the parameter External URL in Exchange admin> Servers> Virtual Directories.

 

After setting the “External URL” parameter, the last thing to do is to use the ResetOABVirtualDirectories feature and enter the path of the file we want to write:

 

After execution, the file is created to the predetermined path with the malicious content (webshell).

 

 

Using this combo – SSRF + webshell upload – criminals are using cobalstrike beacons to fully compromise organizations.

 

Exploits

https://github.com/sirpedrotavares/CVE-2021-26855
https://github.com/sirpedrotavares/CVE-2021-26856
https://github.com/sirpedrotavares/Proxylogon-exploit

 

 

Mitigation

On 2021-03-02, Microsoft released out-of-band patches for Microsoft Exchange Server 2013, 2016, and 2019.

For more details and mitigations see the sources below.

 

Sources

-https://paper.seebug.org/1501/
-https://testbnull.medium.com/ph%C3%A2n-t%C3%ADch-l%E1%BB%97-h%E1%BB%95ng-proxylogon-mail-exchange-rce-s%E1%BB%B1-k%E1%BA%BFt-h%E1%BB%A3p-ho%C3%A0n-h%E1%BA%A3o-cve-2021-26855-37f4b6e06265
-https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
-https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
-https://www.shadowserver.org/news/shadowserver-special-reports-exchange-scanning/
-https://www.praetorian.com/blog/reproducing-proxylogon-exploit/