Liver1337DAY-ID-36585Microsoft Exchange Server Unpublished Pre-Authentication Remote Code Execution Exploit
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.044 Low
EPSS
Percentile
92.3%
[Description]
First, ITβS NOT PROXYLOGON. ITβS NOT PROXYLOGON. ITβS NOT PROXYLOGON.
Itβs an unpublished vulnerability found by myself. Itβs not exploited in the wild and thereβs no exploit code on the Internet.
[About The Vulnerability]
Itβs a exploit chain utilizing pre-auth SSRF + post-auth EoP + post-auth file write to achieve pre-auth RCE on Exchange Server. The corresponding CVE numbers are:
- CVE-2021-28480, CVSS score 10
- CVE-2021-28481, CVSS score 10
- CVE-2021-28482, CVSS score 9
This exploit chain is not memory corruption bug so itβs stable, easy to use, and no privilege required, the only limit is you must provide one victimβs email as argument.
[Affect Versions] - Exchange Server 2019 < 15.02.0858.010
- Exchange Server 2019 < 15.02.0792.013
- Exchange Server 2016 < 15.01.2242.008
- Exchange Server 2016 < 15.01.2176.012
- Exchange Server 2013 < 15.00.1497.015
Video: https://0day.today/videos/36585.mp4
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.044 Low
EPSS
Percentile
92.3%