Last month, on patch Tuesday, Microsoft released patches for four new remote code execution (RCE) vulnerabilities in Microsoft Exchange. At the time, details of the vulnerabilities were not available; however, this week security researcher Nguyen Jang released a technical write-up for CVE-2021-28482 along with proof-of-concept (PoC) exploit code written in Python. Jang gained some notoriety in March for being the first to post a PoC exploit for ProxyLogon, which Microsoft promptly had removed from GitHub.
CVE-2021-28482 is a post-authentication remote code execution vulnerability, which means it requires a user to log in before executing the code. It is a deserialization vulnerability in the Outlook Web Access (OWA) “MeetingPollHandler.ashx”. The PoC crafts a malicious meeting in OWA with a gadget chain generated from ysoserial.net. Serialization is the process of converting an object into a format that can be stored or transmitted over a network. For example, in Python (which is what I usually use), converting a Python list into a JSON file to be stored on disk. Deserialization is the opposite, so reading the JSON file and converting it back to a list. Deserialization vulnerabilities target the way the vulnerable app handles this deserialization process. When referencing deserialization vulnerabilities, a gadget is a term used to describe a class or the functions available within the current scope of the application.
Essentially, with CVE-2021-28482, an attacker crafts a meeting with a payload, but the attacker cannot call the malicious code directly. Instead, when MeetingPollHandler reads the XML that defines the meeting and begins processing the data, an attacker can use the gadget chain to reference a function within the current context that kicks off a chain of events that eventually leads to the payload being read executed. In Jang’s PoC it launches MSPaint.
Though these latest CVEs are all different than the ones related to Proxylogon, what we have seen is that the signatures Perch uses for detecting post-compromise activity will work just as well for CVE-2021-28482.
21 vulnerabilities patched in Exim
Exim is a widely used open-source mail transfer agent (MTA) for Unix-like operating systems. It’s the piece of software on many mail servers that handles getting your email from server A to server B, and it is the most widely used MTA by far. A recent code audit of Exim by Qualys revealed 21 exploitable vulnerabilities, collectively referred to as “21Nails.” Most of these vulnerabilities affect all versions of Exim. Ten can be exploited remotely and the other elven are local exploits.
These exploits can be chained together in multiple ways for an attacker to remotely exploit and gain full root access. This week, on Star Wars Day (May the Fourth be with you!), the Exim maintainers released new versions of Exim with patches for 21Nails. Below is a brief list:
CVE |
Description |
Type |
CVE-2020-28007 |
Link attack in Exim’s log directory |
Local |
CVE-2020-28008 |
Assorted attacks in Exim’s spool directory |
Local |
CVE-2020-28014 |
Arbitrary file creation and clobbering |
Local |
CVE-2021-27216 |
Arbitrary file deletion |
Local |
CVE-2020-28011 |
Heap buffer overflow in queue_run() |
Local |
CVE-2020-28010 |
Heap out-of-bounds write in main() |
Local |
CVE-2020-28013 |
Heap buffer overflow in parse_fix_phrase() |
Local |
CVE-2020-28016 |
Heap out-of-bounds write in parse_fix_phrase() |
Local |
CVE-2020-28015 |
New-line injection into spool header file (local) |
Local |
CVE-2020-28012 |
Missing close-on-exec flag for privileged pipe |
Local |
CVE-2020-28009 |
Integer overflow in get_stdinput() |
Local |
CVE-2020-28017 |
Integer overflow in receive_add_recipient() |
Remote |
CVE-2020-28020 |
Integer overflow in receive_msg() |
Remote |
CVE-2020-28023 |
Out-of-bounds read in smtp_setup_msg() |
Remote |
CVE-2020-28021 |
New-line injection into spool header file (remote) |
Remote |
CVE-2020-28022 |
Heap out-of-bounds read and write in extract_option() |
Remote |
CVE-2020-28026 |
Line truncation and injection in spool_read_header() |
Remote |
CVE-2020-28019 |
Failure to reset function pointer after BDAT error |
Remote |
CVE-2020-28024 |
Heap buffer underflow in smtp_ungetc() |
Remote |
CVE-2020-28018 |
Use-after-free in tls-openssl.c |
Remote |
CVE-2020-28025 |
Heap out-of-bounds read in pdkim_finish_bodyhash() |
Remote |
All the above have been patched in the latest version of Exim, so if you are running Exim, it’s time to update to the latest version. You should consider any version before 4.94.2 obsolete going forward.
Our research team is looking into these 21 vulnerabilities and will be releasing detection content around them; however, best practice is to go ahead and update so you can sleep soundly.
Bryson Medlock, the Dungeon Master
References
https://www.bleepingcomputer.com/news/security/poc-exploit-released-for-microsoft-exchange-bug-dicovered-by-nsa/
https://www.helpnetsecurity.com/2021/05/05/21-exim-vulnerabilities/
https://thehackernews.com/2021/05/alert-new-21nails-exim-bugs-expose.html
https://www.helpnetsecurity.com/2021/05/05/publishing-poc-exploits
https://gist.github.com/testanull/9ebbd6830f7a501e35e67f2fcaa57bda
https://testbnull.medium.com/microsoft-exchange-from-deserialization-to-post-auth-rce-cve-2021-28482-e713001d915f
https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server
https://www.qualys.com/2021/05/04/21nails/21nails.txt
https://www.exim.org/static/doc/security/CVE-2020-qualys/