Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Exchange Server External Service Interaction

🗓️ 27 Dec 2019 00:00:00Reported by Alphan YavasType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 133 Views

Microsoft Exchange Server External Service Interaction vulnerability in Autodiscover component allows remote attackers to force the server to send DNS requests to malicious domains. Vendor response deemed this behavior as by design. Discovered by Alphan Yavas from Biznet Bilisim A.S

Code
`I. VULNERABILITY  
-------------------------  
Microsoft Exchange Server, External Service Interaction (DNS)  
Exchange Server 2013 CU22 and previous.  
  
II. CVE REFERENCE  
-------------------------  
Not Assigned Yet  
  
III. VENDOR  
-------------------------  
https://www.microsoft.com  
  
IV. DESCRIPTION  
-------------------------  
Microsoft Exchange Server are affected from External Service  
Interaction(DNS) vulnerability. A remote attacker could force the  
vulnerable server to send request to any remote server s/he wants.  
  
V. TIMELINE  
-------------------------  
04/11/2019 Vulnerability discovered  
05/12/2019 Vendor contacted  
17/12/2019 Microsoft replay that “We determined that this behavior is  
considered to be by design.”  
  
VI. CREDIT  
-------------------------  
Alphan Yavas from Biznet Bilisim A.S.  
  
VII. Components  
-------------------------  
Affected Component:  
Path(inurl): /Autodiscover  
Parameter: Authorization  
  
VIII. PROOF OF CONCEPT  
-------------------------  
Request example:  
  
GET /Autodiscover HTTP/1.1  
Host: owa.zzzzz.com.tr  
Authorization: Basic abc  
  
Affected parameter: Authorization  
  
If Authorization is being sent with following format victim server  
will send out DNS queries to xxx domain. (xxx is the domain which you  
want to send  
request from server)  
  
xxx\qqq:aaa  
  
As you see above, we have a base64 payload for authorization header.  
If we decode that payload we will see a structure like  
"domain\username:password".  
In that case, if we intercept the request and create a new base64  
payload and set a different domain then default. (for example xxxx.com)  
Now, we have a payload like"xxxx.com\qqq:aaa" and encode this payload  
with base64. While we send our request with this payload, server will  
send DNS request to xxxx  
domain.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Dec 2019 00:00Current
7.4High risk
Vulners AI Score7.4
microsoft exchange serverexternal service interactionautodiscoverdns vulnerabilityremote attackervendor responseby designalphan yavasbiznet bilisim a.s.
133