Premessa

In questo post parlerò brevemente di come testare la vulnerabilità del server Microsoft Exchange locale a CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 e CVE-2021-27065 o HAFNIUM 0 Day Exploit.

Prodotti interessati: servizio Microsoft Exchange locale

Impatto: gli aggressori sono in grado di rubare caselle di posta e lanciare ulteriori attacchi malware

Ottieni le note sul certificato OSCP

"Indagine e applicazione delle patch CVE-2021-26855 nel server Microsoft Exchange locale"

*Controllare se il server è compromesso automaticamente
#Dcarica il test-proxylogon da github

#Lanciare il prompt dei comandi e digitare il comando seguente per avviare la shell di gestione di Exchange
<C:\LaunchEMS>
# Quindi avvia il comando seguente per avviare l'esecuzione dello strumento
<Get-ExchangeServer | .\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs>
#Testing solo del server locale
<C:.\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs>

*Controllare se il server è compromesso manualmente
#Lerca nei seguenti percorsi
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\8Lw7tAhF9i1pJnRo.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookZH.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\authhead.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\bob.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\current\one1.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorPage.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorPages.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\fatal-erro.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\log.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logg.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logout.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\one.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\one1.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\shel.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\shel2.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\shel90.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\a.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\default.aspx
C:\inetpub\wwwroot\aspnet_client\shell.aspx
C:\inetpub\wwwroot\aspnet_client\Server.aspx
C:\inetpub\wwwroot\aspnet_client\aspnet_client.aspx
C:\inetpub\wwwroot\aspnet_client\aspnet_iisstart.aspx
C:\inetpub\wwwroot\aspnet_client\aspnet_pages.aspx
C:\inetpub\wwwroot\aspnet_client\aspnet_www.aspx
C:\inetpub\wwwroot\aspnet_client\default1.aspx
C:\inetpub\wwwroot\aspnet_client\errorcheck.aspx
C:\inetpub\wwwroot\aspnet_client\iispage.aspx
C:\inetpub\wwwroot\aspnet_client\s.aspx
C:\inetpub\wwwroot\aspnet_client\session.aspx
C:\inetpub\wwwroot\aspnet_client\shell.aspx
C:\inetpub\wwwroot\aspnet_client\system_web\log.aspx
C:\inetpub\wwwroot\aspnet_client\xclkmcfldfi948398430fdjkfdkj.aspx
C:\inetpub\wwwroot\aspnet_client\xx.aspx
C:\inetpub\wwwroot\aspnet_client\Server.aspx
C:\inetpub\wwwroot\aspnet_client\discover.aspx
C:\inetpub\wwwroot\aspnet_client\HttpProxy.aspx
C:\inetpub\wwwroot\aspnet_client\OutlookEN.aspx
C:\inetpub\wwwroot\aspnet_client\supp0rt.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\OAB\log.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\log.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logg.aspx
C:\Programmi\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\logout.aspx

*Correzione della vulnerabilità

#Lerca il collegamento sottostante per un elenco di patch e aggiornamenti
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

*Mitigazioni temporanee

#Dcarica lo script di mitigazione di seguito
https://github.com/microsoft/CSS-Exchange/releases/latest/download/ExchangeMitigations.ps1
#Resegui lo script
<.\ExchangeMitigations.ps1 -WebSiteNames “Sito Web predefinito” -ApplyAllMitigations -Verbose>

*Come verificare se il tuo client è vulnerabile senza accedere ai suoi ambienti

#Dcarica lo script nmap riportato di seguito e memorizzalo in /usr/share/nmap/scripts/
https://github.com/microsoft/CSS-Exchange/releases/latest/download/http-vuln-cve2021-26855.nse
<nmap -sV -A [target-ip] –script=http-vuln-cve2021-26855.nse>

# I dettagli completi su IOC, mitigazione e patch sono disponibili di seguito
https://github.com/microsoft/CSS-Exchange/tree/main/Security



, , ,
Mostra commenti

Motasem

Circa l'autore

Creo note sulla sicurezza informatica, note di marketing digitale e corsi online. Fornisco anche consulenza di marketing digitale, inclusi ma non limitati a SEO, annunci Google e Meta e amministrazione CRM.

Visualizza articoli