关于近期Microsoft Exchange多个高危漏洞——ProxyLogon
关于近期Microsoft Exchange多个高危漏洞——ProxyLogon
近期网上曝出Microsoft Exchange存在多个高危漏洞,通过组合利用这些漏洞能够在未经身份验证的情况下远程获取目标服务器权限。其中包括CVE-2021-26855服务端请求伪造漏洞、CVE-2021-26857不安全的反序列化漏洞、
CVE-2021-26858/CVE-2021-27065任意文件写入漏洞,在通过身份验证后攻击者可以利用该漏洞将文件写入服务器的任意路径。经了解,该漏洞的发现者为知名安全研究员Orange Tsai,他将这些漏洞取名为ProxyLogon,近期他在社交媒体上简要公布了这些漏洞的timeline(详细信息参见proxylogon.com)。
笔者将相关信息进行简要整理发现,未经身份验证的攻击者可以通过仅打开的443端口在Microsoft Exchange Server上执行任意命令,危害严重!预计EXP很快将出现,建议尽快修复。
FAQ(proxylogon.com 部分内容翻译):
Q:为什么将其称为ProxyLogon?它与ZeroLogon有关吗?
A:不,完全无关。我们将其称为ProxyLogon,因为攻击利用了Exchange的Proxy架构和登录机制。
Q:为什么ProxyLogon很特别?
A:作为企业最知名的邮件服务器,Microsoft Exchange长期以来一直是攻击者的圣杯,最近一次Exchange 的RCE漏洞还要追溯到NSA 方程式组织的EnglishmansDentist,而受EnglishmansDentist影响的主要是很老版本的Exchange 2003 ,而ProxyLogon影响范围远超EnglishmansDentist,难道ProxyLogon还不够特别么?
Q: 在哪里可以找到更多信息?
A: 将来我们将发布技术论文。
Q: 哪些版本的Exchange Server受到影响?
A: 该漏洞是由于Exchange Server 2013的Client Access Service架构发生了重大变化而导致的,而较早版本的Exchange Server 2010于2020年10月EOS。所以所有主流的Exchange Server都容易受到攻击!
确切的易受攻击的版本表:
- Exchange Server 2019 <15.02.0792.010
- Exchange Server 2019 <15.02.0721.013
- Exchange Server 2016 <15.01.2106.013
- Exchange Server 2013 <15.00.1497.012
Q: 我该如何修复这个漏洞?
A:Microsoft已于2021年3月3日发布了安全更新程序来修复此漏洞。请尽快更新您的Exchange Server!
Q: ProxyLogon是内存损坏错误吗?
A: 与EnglishmansDentist不同,ProxyLogon完全是关于Web上的逻辑错误的。这意味着漏洞利用是可靠的,并且容易被黑客利用。
Q: 谁发现了ProxyLogon漏洞?
A:ProxyLogon由DEVCORE研究团队的Orange Tsai发现。如有疑问,您可以通过research@devco.re与我们联系。
漏洞披露时间线:
October 01, 2020 | DEVCORE started reviewing the security on Microsoft Exchange Server |
|---|---|
December 10, 2020 | DEVCORE discovered the first pre-auth proxy bug (CVE-2021-26855) |
December 27, 2020 | DEVCORE escalated the first bug to an authentication bypass to become admin |
December 30, 2020 | DEVCORE discovered the second post-auth arbitrary-file-write bug (CVE-2021-27065) |
December 31, 2020 | DEVCORE chained all bugs together to a workable pre-auth RCE exploit |
January 05, 2021 | DEVCORE sent (18:41 GMT+8) the advisory and exploit to Microsoft through the MSRC portal directly |
January 06, 2021 | MSRC acknowledged the pre-auth proxy bug (MSRC case 62899) |
January 06, 2021 | MSRC acknowledged the post-auth arbitrary-file-write bug (MSRC case 63835) |
January 08, 2021 | MSRC confirmed the reported behavior |
January 11, 2021 | DEVCORE attached a 120-days public disclosure deadline to MSRC and checked for bug collision |
January 12, 2021 | MSRC flagged the intended deadline and confirmed no collision at that time |
February 02, 2021 | DEVCORE checked for the update |
February 02, 2021 | MSRC replied "they are splitting up different aspects for review individually and got at least one fix which should meet our deadline" |
February 12, 2021 | MSRC asked the title for acknowledgements and whether we will publish a blog |
February 13, 2021 | DEVCORE confirmed to publish a blog and said will postpone the technique details for two weeks, and will publish an easy-to-understand advisory (without technique details) instead |
February 18, 2021 | DEVCORE provided the advisory draft to MSRC and asked for the patch date |
February 18, 2021 | MSRC pointed out a minor typo in our draft and confirmed the patch date is 3/9 |
February 27, 2021 | MSRC said they are almost set for release and wanted to ask if we're fine with being mentioned in their advisory |
February 28, 2021 | DEVCORE agreed to be mentioned in their advisory |
March 03, 2021 | MSRC said they are likely going to be pushing out their blog earlier than expected and won’t have time to do an overview of the blog |
March 03, 2021 | MSRC published the patch and advisory and acknowledged DEVCORE officially |
March 03, 2021 | DEVCORE has launched an initial investigation after informed of active exploitation advisory from Volexity |
March 04, 2021 | DEVCORE has confirmed the in-the-wild exploit was the same one reported to MSRC |
March 05, 2021 | DEVCORE hasn't found concern in the investigation so far |
漏洞利用演示Demo: