Premise

In this post, I will briefly talk about testing your on-premises Microsoft exchange server is vulnerable to CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 or HAFNIUM 0 Day Exploit.

Products Affected: On-premises Microsoft exchange serve

Impact: Attackers are able to steal mailboxes and launch further malware attacks

Get OSCP Certificate Notes

“Investigating and patching CVE-2021-26855 in on-premise Microsoft Exchange server”

*Checking if the server is compromised automatically
#Download the test-proxylogon from github

#Launch the command prompt and type the below command to launch the exchange management shell
<C:\LaunchEMS>
#Then launch the below command to start running the tool
<Get-ExchangeServer | .\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs>
#Testing the local server only
<C:.\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs>

*Checking if the server is compromised manually
#Look in the following paths
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\8Lw7tAhF9i1pJnRo.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookZH.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\authhead.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\bob.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\current\one1.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorPage.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorPages.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\fatal-erro.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\log.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logg.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logout.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\one.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\one1.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\shel.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\shel2.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\shel90.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\a.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\default.aspx
C:\inetpub\wwwroot\aspnet_client\shell.aspx
C:\inetpub\wwwroot\aspnet_client\Server.aspx
C:\inetpub\wwwroot\aspnet_client\aspnet_client.aspx
C:\inetpub\wwwroot\aspnet_client\aspnet_iisstart.aspx
C:\inetpub\wwwroot\aspnet_client\aspnet_pages.aspx
C:\inetpub\wwwroot\aspnet_client\aspnet_www.aspx
C:\inetpub\wwwroot\aspnet_client\default1.aspx
C:\inetpub\wwwroot\aspnet_client\errorcheck.aspx
C:\inetpub\wwwroot\aspnet_client\iispage.aspx
C:\inetpub\wwwroot\aspnet_client\s.aspx
C:\inetpub\wwwroot\aspnet_client\session.aspx
C:\inetpub\wwwroot\aspnet_client\shell.aspx
C:\inetpub\wwwroot\aspnet_client\system_web\log.aspx
C:\inetpub\wwwroot\aspnet_client\xclkmcfldfi948398430fdjkfdkj.aspx
C:\inetpub\wwwroot\aspnet_client\xx.aspx
C:\inetpub\wwwroot\aspnet_client\Server.aspx
C:\inetpub\wwwroot\aspnet_client\discover.aspx
C:\inetpub\wwwroot\aspnet_client\HttpProxy.aspx
C:\inetpub\wwwroot\aspnet_client\OutlookEN.aspx
C:\inetpub\wwwroot\aspnet_client\supp0rt.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\OAB\log.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\log.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logg.aspx
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logout.aspx

*Patching the vulnerability

#Look in the below link for a list of patches and updates
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

*Temporary Mitigations

#Download the mitigation script below
https://github.com/microsoft/CSS-Exchange/releases/latest/download/ExchangeMitigations.ps1
#Run the script
<.\ExchangeMitigations.ps1 -WebSiteNames “Default Web Site” -ApplyAllMitigations -Verbose>

*How to test if your client is vulnerable without accessing their environments

#Download the below nmap script and store it in /usr/share/nmap/scripts/
https://github.com/microsoft/CSS-Exchange/releases/latest/download/http-vuln-cve2021-26855.nse
<nmap -sV -A [target-ip] –script=http-vuln-cve2021-26855.nse>

#Full Details about IOCs, mitigation, and patching can be found below
https://github.com/microsoft/CSS-Exchange/tree/main/Security