记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

关于近期Microsoft Exchange多个高危漏洞——ProxyLogon

2021-03-07 01:23
    近期网上曝出Microsoft Exchange存在多个高危漏洞通过组合利用这些漏洞能够在未经身份验证的情况下远程获取目标服务器权限。其中包括CVE-2021-26855服务端请求伪造漏洞、CVE-2021-26857不安全的反序列化漏洞、
CVE-2021-26858/CVE-2021-27065任意文件写入漏洞,在通过身份验证后攻击者可以利用该漏洞将文件写入服务器的任意路径。经了解,该漏洞的发现者为知名安全研究员Orange Tsai他将这些漏洞取名为ProxyLogon,近期他在社交媒体上简要公布了这些漏洞的timeline(详细信息参见proxylogon.com)。

    笔者将相关信息进行简要整理发现,未经身份验证的攻击者可以通过仅打开的443端口在Microsoft Exchange Server上执行任意命令,危害严重!预计EXP很快将出现,建议尽快修复。

FAQ(proxylogon.com 部分内容翻译):

Q:为什么将其称为ProxyLogon?它与ZeroLogon有关吗?

A:不,完全无关。我们将其称为ProxyLogon,因为攻击利用了Exchange的Proxy架构和登录机制。


Q:为什么ProxyLogon很特别?

A:作为企业最知名的邮件服务器,Microsoft Exchange长期以来一直是攻击者的圣杯,最近一次Exchange 的RCE漏洞还要追溯到NSA 方程式组织的EnglishmansDentist,而受EnglishmansDentist影响的主要是很老版本的Exchange 2003 ,而ProxyLogon影响范围远超EnglishmansDentist,难道ProxyLogon还不够特别么?


Q: 在哪里可以找到更多信息?

A: 将来我们将发布技术论文。


Q: 哪些版本的Exchange Server受到影响?

A: 该漏洞是由于Exchange Server 2013的Client Access Service架构发生了重大变化而导致的,而较早版本的Exchange Server 2010于2020年10月EOS。所以所有主流的Exchange Server都容易受到攻击!

确切的易受攻击的版本表:

  • Exchange Server 2019 <15.02.0792.010

  • Exchange Server 2019 <15.02.0721.013

  • Exchange Server 2016 <15.01.2106.013

  • Exchange Server 2013 <15.00.1497.012


Q: 我该如何修复这个漏洞?

A:Microsoft已于2021年3月3日发布了安全更新程序来修复此漏洞。请尽快更新您的Exchange Server!


Q: ProxyLogon是内存损坏错误吗?

A: EnglishmansDentist不同,ProxyLogon完全是关于Web上的逻辑错误的。这意味着漏洞利用是可靠的,并且容易被黑客利用。


Q: 谁发现了ProxyLogon漏洞?

A:ProxyLogon由DEVCORE研究团队的Orange Tsai发现。如有疑问,您可以通过research@devco.re与我们联系。


漏洞披露时间线:

    October 01, 2020DEVCORE started reviewing the security on Microsoft Exchange Server
    December 10, 2020DEVCORE discovered the first pre-auth proxy bug (CVE-2021-26855)
    December 27, 2020DEVCORE escalated the first bug to an authentication bypass to become admin
    December 30, 2020DEVCORE discovered the second post-auth arbitrary-file-write bug (CVE-2021-27065)
    December 31, 2020DEVCORE chained all bugs together to a workable pre-auth RCE exploit
    January 05, 2021DEVCORE sent (18:41 GMT+8) the advisory and exploit to Microsoft through the MSRC portal directly
    January 06, 2021MSRC acknowledged the pre-auth proxy bug (MSRC case 62899)
    January 06, 2021MSRC acknowledged the post-auth arbitrary-file-write bug (MSRC case 63835)
    January 08, 2021MSRC confirmed the reported behavior
    January 11, 2021DEVCORE attached a 120-days public disclosure deadline to MSRC and checked for bug collision
    January 12, 2021MSRC flagged the intended deadline and confirmed no collision at that time
    February 02, 2021DEVCORE checked for the update
    February 02, 2021MSRC replied "they are splitting up different aspects for review individually and got at least one fix which should meet our deadline"
    February 12, 2021MSRC asked the title for acknowledgements and whether we will publish a blog
    February 13, 2021DEVCORE confirmed to publish a blog and said will postpone the technique details for two weeks, and will publish an easy-to-understand advisory (without technique details) instead
    February 18, 2021DEVCORE provided the advisory draft to MSRC and asked for the patch date
    February 18, 2021MSRC pointed out a minor typo in our draft and confirmed the patch date is 3/9
    February 27, 2021MSRC said they are almost set for release and wanted to ask if we're fine with being mentioned in their advisory
    February 28, 2021DEVCORE agreed to be mentioned in their advisory
    March 03, 2021MSRC said they are likely going to be pushing out their blog earlier than expected and won’t have time to do an overview of the blog
    March 03, 2021MSRC published the patch and advisory and acknowledged DEVCORE officially
    March 03, 2021DEVCORE has launched an initial investigation after informed of active exploitation advisory from Volexity
    March 04, 2021DEVCORE has confirmed the in-the-wild exploit was the same one reported to MSRC
    March 05, 2021DEVCORE hasn't found concern in the investigation so far

漏洞利用演示Demo:



知识来源: https://mp.weixin.qq.com/s?__biz=MzU5OTQ3ODM0Mw==&mid=2247484229&idx=1&sn=46fc705fa253cc322a2b2f17450e100b

阅读:219368 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“关于近期Microsoft Exchange多个高危漏洞——ProxyLogon”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

黑帝公告 📢

永久免费持续更新精选优质黑客技术文章Hackdig,帮你成为掌握黑客技术的英雄

广而告之 💖

标签云 ☁