Dissecting the Exchange Server Saga: A Practical Deep Dive into the Vulnerabilities

P Mohith Kalyan, Anurag Shandilya

K7 Computing

Abstract:

In March 2021, Microsoft patched 0-day vulnerabilities in Exchange Server. Unsurprisingly, these servers then became the favourite target of several threat actors. In fact, some of the 0-days are likely to have been actively exploited in the wild even prior to the patches being deployed. This presentation intends to expose the internals of Exchange Server and its erstwhile 0-days, and how they are being targeted by various threat actors.

It is not difficult to see why Exchange Server is so attractive to attackers; being one of the essential components of an organisation’s communication infrastructure, it is accessible by almost all endpoint systems to receive and deliver emails, is exposed to external networks and cannot be taken offline for a long period of time. To exacerbate matters we in the security industry have paid it scant regard before things went pear-shaped. As per Shodan, there are more than 84000 unpatched on-premise Exchange Servers publicly accessible over the internet, and among those, 16000 are vulnerable to CVE-2021-26855 (a.k.a Proxylogon vulnerability) alone.

In this presentation, we will expose some of the entrails of Exchange Server en route to focussing on two vulnerabilities – CVE-2021-26855, a Server-Side-Request-Forgery, and CVE-2021-27065, a post-authentication-arbitrary-file-write vulnerability, that can be chained together to force unauthenticated remote code execution on a vulnerable server. We will provide a demo highlighting the ease with which these vulnerabilities can be chained and exploited. We will also use patch-diffing to analyse the mitigations implemented, backed by forensic evidence from compromised servers. We will conclude with a set of control measures for further mitigation of such 0-day attacks