Exchange vulnerability PoC released

Last month, on patch Tuesday, Microsoft released patches for four new remote code execution (RCE) vulnerabilities in Microsoft Exchange. At the time, details of the vulnerabilities were not available; however, this week security researcher Nguyen Jang released a technical write-up for CVE-2021-28482 along with proof-of-concept (PoC) exploit code written in Python. Jang gained some notoriety in March for being the first to post a PoC exploit for ProxyLogon, which Microsoft promptly had removed from GitHub.

CVE-2021-28482 is a post-authentication remote code execution vulnerability, which means it requires a user to log in before executing the code. It is a deserialization vulnerability in the Outlook Web Access (OWA) “MeetingPollHandler.ashx”. The PoC crafts a malicious meeting in OWA with a gadget chain generated from ysoserial.net. Serialization is the process of converting an object into a format that can be stored or transmitted over a network. For example, in Python (which is what I usually use), converting a Python list into a JSON file to be stored on disk. Deserialization is the opposite, so reading the JSON file and converting it back to a list. Deserialization vulnerabilities target the way the vulnerable app handles this deserialization process. When referencing deserialization vulnerabilities, a gadget is a term used to describe a class or the functions available within the current scope of the application.

Essentially, with CVE-2021-28482, an attacker crafts a meeting with a payload, but the attacker cannot call the malicious code directly. Instead, when MeetingPollHandler reads the XML that defines the meeting and begins processing the data, an attacker can use the gadget chain to reference a function within the current context that kicks off a chain of events that eventually leads to the payload being read executed. In Jang’s PoC it launches MSPaint.

Though these latest CVEs are all different than the ones related to Proxylogon, what we have seen is that the signatures Perch uses for detecting post-compromise activity will work just as well for CVE-2021-28482.

21 vulnerabilities patched in Exim

Exim is a widely used open-source mail transfer agent (MTA) for Unix-like operating systems. It’s the piece of software on many mail servers that handles getting your email from server A to server B, and it is the most widely used MTA by far. A recent code audit of Exim by Qualys revealed 21 exploitable vulnerabilities, collectively referred to as “21Nails.” Most of these vulnerabilities affect all versions of Exim. Ten can be exploited remotely and the other elven are local exploits.

These exploits can be chained together in multiple ways for an attacker to remotely exploit and gain full root access. This week, on Star Wars Day (May the Fourth be with you!), the Exim maintainers released new versions of Exim with patches for 21Nails. Below is a brief list:

CVE Description Type
CVE-2020-28007 Link attack in Exim’s log directory Local 
CVE-2020-28008 Assorted attacks in Exim’s spool directory Local 
CVE-2020-28014 Arbitrary file creation and clobbering Local 
CVE-2021-27216 Arbitrary file deletion Local 
CVE-2020-28011 Heap buffer overflow in queue_run() Local 
CVE-2020-28010 Heap out-of-bounds write in main() Local 
CVE-2020-28013 Heap buffer overflow in parse_fix_phrase() Local 
CVE-2020-28016 Heap out-of-bounds write in parse_fix_phrase() Local 
CVE-2020-28015 New-line injection into spool header file (local) Local 
CVE-2020-28012 Missing close-on-exec flag for privileged pipe Local 
CVE-2020-28009 Integer overflow in get_stdinput() Local 
CVE-2020-28017 Integer overflow in receive_add_recipient() Remote 
CVE-2020-28020 Integer overflow in receive_msg() Remote 
CVE-2020-28023 Out-of-bounds read in smtp_setup_msg() Remote 
CVE-2020-28021 New-line injection into spool header file (remote) Remote 
CVE-2020-28022 Heap out-of-bounds read and write in extract_option() Remote 
CVE-2020-28026 Line truncation and injection in spool_read_header() Remote 
CVE-2020-28019 Failure to reset function pointer after BDAT error Remote 
CVE-2020-28024 Heap buffer underflow in smtp_ungetc() Remote 
CVE-2020-28018 Use-after-free in tls-openssl.c Remote 
CVE-2020-28025 Heap out-of-bounds read in pdkim_finish_bodyhash() Remote 

All the above have been patched in the latest version of Exim, so if you are running Exim, it’s time to update to the latest version. You should consider any version before 4.94.2 obsolete going forward.

Our research team is looking into these 21 vulnerabilities and will be releasing detection content around them; however, best practice is to go ahead and update so you can sleep soundly.

Bryson Medlock, the Dungeon Master

References

https://www.bleepingcomputer.com/news/security/poc-exploit-released-for-microsoft-exchange-bug-dicovered-by-nsa/

https://www.helpnetsecurity.com/2021/05/05/21-exim-vulnerabilities/

https://thehackernews.com/2021/05/alert-new-21nails-exim-bugs-expose.html

https://www.helpnetsecurity.com/2021/05/05/publishing-poc-exploits

https://gist.github.com/testanull/9ebbd6830f7a501e35e67f2fcaa57bda

https://testbnull.medium.com/microsoft-exchange-from-deserialization-to-post-auth-rce-cve-2021-28482-e713001d915f

https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server

https://www.qualys.com/2021/05/04/21nails/21nails.txt

https://www.exim.org/static/doc/security/CVE-2020-qualys/