Microsoft Exchange Server Authentication Bypass - Nessus

Critical   Plugin ID: 147171

This page contains detailed information about the Microsoft Exchange Server Authentication Bypass Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 147171
Name: Microsoft Exchange Server Authentication Bypass
Filename: exchange_cve-2021-26855.nbin
Vulnerability Published: 2021-03-02
This Plugin Published: 2021-03-08
Last Modification Time: 2022-05-03
Plugin Version: 1.23
Plugin Type: remote
Plugin Family: Windows
Dependencies: exchange_detect.nbin
Required KB Items [?]: installed_sw/Exchange Server

Vulnerability Information

Severity: Critical
Vulnerability Published: 2021-03-02
Patch Published: 2021-03-02
CVE [?]: CVE-2021-26855
CPE [?]: cpe:/a:microsoft:exchange_server
Exploited by Malware: True
In the News: True

Synopsis

The remote mail server is affected by an authentication bypass vulnerability.

Description

The Microsoft Exchange running on the remote host is affected by an authentication bypass vulnerability. An unauthenticated remote attacker can exploit this to execute arbitrary code.

Solution

Microsoft has released the following security updates to address this issue: -KB5000871

Public Exploits

Target Network Port(s): 443
Target Asset(s): Services/www
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Microsoft Exchange Server Authentication Bypass vulnerability:

  1. Metasploit: exploit/windows/http/exchange_proxylogon_rce
    [Microsoft Exchange ProxyLogon RCE]
  2. Metasploit: auxiliary/gather/exchange_proxylogon_collector
    [Microsoft Exchange ProxyLogon Collector]
  3. Metasploit: auxiliary/scanner/http/exchange_proxylogon
    [Microsoft Exchange ProxyLogon Scanner]
  4. Exploit-DB: exploits/windows/webapps/49879.py
    [EDB-49879: Microsoft Exchange 2019 - Unauthenticated Email Download]
  5. Exploit-DB: exploits/windows/webapps/49895.rb
    [EDB-49895: Microsoft Exchange 2019 - Unauthenticated Email Download (Metasploit)]
  6. GitHub: https://github.com/0ps/pocassistdb
    [CVE-2021-26855]
  7. GitHub: https://github.com/0xmahmoudJo0/Check_Emails_For_CVE_2021_26855
    [CVE-2021-26855]
  8. GitHub: https://github.com/00011100/HAFHunt
    [CVE-2021-26855]
  9. GitHub: https://github.com/Ahsanzia/Exchange-Exploit
    [CVE-2021-26855]
  10. GitHub: https://github.com/Astrogeorgeonethree/Starred
    [CVE-2021-26855]
  11. GitHub: https://github.com/Dutch-Technology-eXperts/CSIRT
    [CVE-2021-26855]
  12. GitHub: https://github.com/EdgeSecurityTeam/Vulnerability
    [CVE-2021-26855]
  13. GitHub: https://github.com/FDlucifer/Proxy-Attackchain
    [CVE-2021-26855]
  14. GitHub: https://github.com/FDlucifer/firece-fish
    [CVE-2021-26855]
  15. GitHub: https://github.com/H0j3n/EzpzCheatSheet
    [CVE-2021-26855]
  16. GitHub: https://github.com/JERRY5410/HOMEWORK-FOR-ProxyLogon
    [CVE-2021-26855]
  17. GitHub: https://github.com/LearnGolang/LearnGolang
    [CVE-2021-26855]
  18. GitHub: https://github.com/Mr-xn/CVE-2021-26855-d
    [CVE-2021-26855]
  19. GitHub: https://github.com/Mr-xn/Penetration_Testing_POC
    [CVE-2021-26855]
  20. GitHub: https://github.com/NTUTtopicBryan/NTUT_HomeWork
    [CVE-2021-26855]
  21. GitHub: https://github.com/NarbehJackson/python-flask-ssrfpdf-to-lfi
    [CVE-2021-26855]
  22. GitHub: https://github.com/PwCNO-CTO/CVE-2021-26855
    [CVE-2021-26855: Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)]
  23. GitHub: https://github.com/Seeps/shellcollector
    [CVE-2021-26855]
  24. GitHub: https://github.com/SexyBeast233/SecBooks
    [CVE-2021-26855]
  25. GitHub: https://github.com/SotirisKar/CVE-2021-26855
    [CVE-2021-26855]
  26. GitHub: https://github.com/SpearTip-Cyber-Counterintelligence/Zirconium
    [CVE-2021-26855]
  27. GitHub: https://github.com/Udyz/Proxylogon
    [CVE-2021-26855]
  28. GitHub: https://github.com/WiredPulse/Invoke-HAFNIUMCheck.ps1
    [CVE-2021-26855]
  29. GitHub: https://github.com/achabahe/CVE-2021-26855
    [CVE-2021-26855]
  30. GitHub: https://github.com/alt3kx/CVE-2021-26855_PoC
    [CVE-2021-26855]
  31. GitHub: https://github.com/andyinmatrix/PowerShell
    [CVE-2021-26855]
  32. GitHub: https://github.com/avi8892/CVE-2021-26856
    [CVE-2021-26855]
  33. GitHub: https://github.com/bhassani/Recent-CVE
    [CVE-2021-26855]
  34. GitHub: https://github.com/binganao/vulns-2022
    [CVE-2021-26855]
  35. GitHub: https://github.com/boson87225/111
    [CVE-2021-26855]
  36. GitHub: https://github.com/certat/exchange-scans
    [CVE-2021-26855]
  37. GitHub: https://github.com/cyware-labs/Operation-Exchange-Marauder
    [CVE-2021-26855]
  38. GitHub: https://github.com/doris0213/Proxy-Logon
    [CVE-2021-26855]
  39. GitHub: https://github.com/h4x0r-dz/CVE-2021-26855
    [CVE-2021-26855]
  40. GitHub: https://github.com/helsecert/2021-march-exchange
    [CVE-2021-26855]
  41. GitHub: https://github.com/herwonowr/exprolog
    [CVE-2021-26855]
  42. GitHub: https://github.com/hosch3n/ProxyLogon
    [CVE-2021-26855: CVE-2021-26855 & CVE-2021-27065]
  43. GitHub: https://github.com/inpalmer/MSE-Exchange-Alert-Check
    [CVE-2021-26855: Verify Vulnerability CVE-2021-26855]
  44. GitHub: https://github.com/itscio/LadonGo
    [CVE-2021-26855]
  45. GitHub: https://github.com/jweny/pocassistdb
    [CVE-2021-26855]
  46. GitHub: https://github.com/k8gege/LadonGo
    [CVE-2021-26855]
  47. GitHub: https://github.com/lovechinacoco/https-github.com-mai-lang-chai-Middleware-Vulnerability-detection
    [CVE-2021-26855]
  48. GitHub: https://github.com/mysticwayfarer1/Exchange-HAFNIUM
    [CVE-2021-26855]
  49. GitHub: https://github.com/netlas-io/MsExchangeServerVersionCheck
    [CVE-2021-26855]
  50. GitHub: https://github.com/password520/LadonGo
    [CVE-2021-26855]
  51. GitHub: https://github.com/r0eXpeR/redteam_vul
    [CVE-2021-26855]
  52. GitHub: https://github.com/r0eXpeR/supplier
    [CVE-2021-26855]
  53. GitHub: https://github.com/raheel0x01/eeb927d1189ad44742095f58636483984bfbfa355f69f94439e276df306d9568
    [CVE-2021-26855: CVE-2021-26855, also known as Proxylogon, is a server-side request forgery (SSRF) ...]
  54. GitHub: https://github.com/saucer-man/exploit
    [CVE-2021-26855]
  55. GitHub: https://github.com/seanjosee/NTUT_HOMEWORK
    [CVE-2021-26855]
  56. GitHub: https://github.com/shacojx/CVE-2021-26855-exploit-Exchange
    [CVE-2021-26855]
  57. GitHub: https://github.com/shacojx/CVE_2021_26855_SSRF
    [CVE-2021-26855]
  58. GitHub: https://github.com/shacojx/Scan-Vuln-CVE-2021-26855
    [CVE-2021-26855]
  59. GitHub: https://github.com/vehemont/nvdlib
    [CVE-2021-26855]
  60. GitHub: https://github.com/zhzyker/vulmap
    [CVE-2021-26855]
  61. GitHub: https://github.com/0xAbdullah/CVE-2021-26855
    [CVE-2021-26855: PoC for CVE-2021-26855 -Just a checker-]
  62. GitHub: https://github.com/cert-lv/exchange_webshell_detection
    [CVE-2021-26855: Detect webshells dropped on Microsoft Exchange servers exploited through ...]
  63. GitHub: https://github.com/charlottelatest/CVE-2021-26855
    [CVE-2021-26855: CVE-2021-26855 exp]
  64. GitHub: https://github.com/conjojo/Microsoft_Exchange_Server_SSRF_CVE-2021-26855
    [CVE-2021-26855: Microsoft Exchange Server SSRF漏洞(CVE-2021-26855)]
  65. GitHub: https://github.com/cryptolakk/ProxyLogon-Mass-RCE
    [CVE-2021-26855: Python for mass deploying payload on Microsoft Exchange Servers affected by ...]
  66. GitHub: https://github.com/DCScoder/Exchange_IOC_Hunter
    [CVE-2021-26855: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065]
  67. GitHub: https://github.com/dwisiswant0/proxylogscan
    [CVE-2021-26855: A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that ...]
  68. GitHub: https://github.com/evilashz/ExchangeSSRFtoRCEExploit
    [CVE-2021-26855: CVE-2021-26855 & CVE-2021-27065]
  69. GitHub: https://github.com/Flangvik/SharpProxyLogon
    [CVE-2021-26855: C# POC for CVE-2021-26855 aka ProxyLogon, supports the classically semi-interactive ...]
  70. GitHub: https://github.com/hackerschoice/CVE-2021-26855
    [CVE-2021-26855: PoC of proxylogon chain SSRF(CVE-2021-26855) to write file by testanull, censored by ...]
  71. GitHub: https://github.com/hosch3n/ProxyVulns
    [CVE-2021-26855: [ProxyLogon] CVE-2021-26855 & CVE-2021-27065 Fixed RawIdentity Bug Exploit. ...]
  72. GitHub: https://github.com/Immersive-Labs-Sec/ProxyLogon
    [CVE-2021-26855: Chaining CVE-2021-26855 and CVE-2021-26857 to exploit Microsoft Exchange]
  73. GitHub: https://github.com/KotSec/CVE-2021-26855-Scanner
    [CVE-2021-26855: Scanner and PoC for CVE-2021-26855]
  74. GitHub: https://github.com/mauricelambert/ExchangeWeaknessTest
    [CVE-2021-26855: This script test the CVE-2021-26855 vulnerability on Exchange Server.]
  75. GitHub: https://github.com/mekhalleh/exchange_proxylogon
    [CVE-2021-26855: Module pack for #ProxyLogon (part. of my contribute for Metasploit-Framework) ...]
  76. GitHub: https://github.com/mil1200/ProxyLogon-CVE-2021-26855
    [CVE-2021-26855: RCE exploit for ProxyLogon vulnerability in Microsoft Exchange]
  77. GitHub: https://github.com/Nick-Yin12/106362522
    [CVE-2021-26855: 針對近期微軟公布修補遭駭客攻擊的Exchange ...]
  78. GitHub: https://github.com/p0wershe11/ProxyLogon
    [CVE-2021-26855: ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell)]
  79. GitHub: https://github.com/praetorian-inc/proxylogon-exploit
    [CVE-2021-26855: Proof-of-concept exploit for CVE-2021-26855 and CVE-2021-27065. Unauthenticated RCE ...]
  80. GitHub: https://github.com/pussycat0x/CVE-2021-26855-SSRF
    [CVE-2021-26855: This script helps to identify CVE-2021-26855 ssrf Poc]
  81. GitHub: https://github.com/r0ckysec/CVE-2021-26855_Exchange
    [CVE-2021-26855: Microsoft Exchange Proxylogon Exploit Chain EXP分析]
  82. GitHub: https://github.com/raheel0x01/CVE-2021-26855
    [CVE-2021-26855: CVE-2021-26855, also known as Proxylogon, is a server-side request forgery (SSRF) ...]
  83. GitHub: https://github.com/RickGeex/ProxyLogon
    [CVE-2021-26855: ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on ...]
  84. GitHub: https://github.com/SCS-Labs/HAFNIUM-Microsoft-Exchange-0day
    [CVE-2021-26855: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065]
  85. GitHub: https://github.com/sgnls/exchange-0days-202103
    [CVE-2021-26855: IoC determination for exploitation of CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 ...]
  86. GitHub: https://github.com/soteria-security/HAFNIUM-IOC
    [CVE-2021-26855: A PowerShell script to identify indicators of exploitation of CVE-2021-26855, ...]
  87. GitHub: https://github.com/srvaccount/CVE-2021-26855-PoC
    [CVE-2021-26855: PoC exploit code for CVE-2021-26855]
  88. GitHub: https://github.com/stressboi/hafnium-exchange-splunk-csvs
    [CVE-2021-26855: IOCs found exploiting CVE-2021-26855 thanks to info from Volexity and MS and ...]
  89. GitHub: https://github.com/TaroballzChen/ProxyLogon-CVE-2021-26855-metasploit
    [CVE-2021-26855: CVE-2021-26855 proxyLogon metasploit exploit script]
  90. GitHub: https://github.com/Th3eCrow/CVE-2021-26855-SSRF-Exchange
    [CVE-2021-26855: CVE-2021-26855 SSRF Exchange Server]
  91. GitHub: https://github.com/thau0x01/poc_proxylogon
    [CVE-2021-26855: Microsoft Exchange ProxyLogon PoC (CVE-2021-26855)]
  92. GitHub: https://github.com/yaoxiaoangry3/Flangvik
    [CVE-2021-26855: C# POC for CVE-2021-26855 aka ProxyLogon, supports the classically semi-interactive ...]
  93. GitHub: https://github.com/Yt1g3r/CVE-2021-26855_SSRF
    [CVE-2021-26855: POC of CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-26865, ...]
  94. GitHub: https://github.com/ZephrFish/Exch-CVE-2021-26855
    [CVE-2021-26855: CVE-2021-26855: PoC (Not a HoneyPoC for once!)]
  95. GitHub: https://github.com/hictf/CVE-2021-26855-CVE-2021-27065
    [CVE-2021-26855: Analytics ProxyLogo Mail exchange RCE]
  96. GitHub: https://github.com/hakivvi/proxylogon
    [CVE-2021-26855: My exploit for the proxylogon chain (Microsoft Exchange Server - CVE-2021-26855)]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS Score Source [?]: CVE-2021-26855
CVSS V2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C
CVSS Base Score:7.5 (High)
Impact Subscore:6.4
Exploitability Subscore:10.0
CVSS Temporal Score:6.5 (Medium)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:6.5 (Medium)
CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
CVSS Base Score:9.8 (Critical)
Impact Subscore:5.9
Exploitability Subscore:3.9
CVSS Temporal Score:9.4 (Critical)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:9.4 (Critical)

Go back to menu.

Plugin Source

The exchange_cve-2021-26855.nbin Nessus plugin is distributed in a propriatory binary format and its source code is protected. This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/exchange_cve-2021-26855.nbin
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\exchange_cve-2021-26855.nbin
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/exchange_cve-2021-26855.nbin

Go back to menu.

How to Run

Here is how to run the Microsoft Exchange Server Authentication Bypass as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Windows plugin family.
  6. On the right side table select Microsoft Exchange Server Authentication Bypass plugin ID 147171.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl exchange_cve-2021-26855.nbin -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a exchange_cve-2021-26855.nbin -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - exchange_cve-2021-26855.nbin -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state exchange_cve-2021-26855.nbin -t <IP/HOST>

Go back to menu.

References

MSKB | Microsoft Knowledge Base: MSFT | Microsoft Security Bulletin:
  • MS21-5000871
See also: Similar and related Nessus plugins:
  • 147003 - Security Updates for Microsoft Exchange Server (March 2021)
  • 152458 - Microsoft Exchange Server RCE (ProxyShell)
  • 11889 - Exchange XEXCH50 Remote Buffer Overflow
  • 72666 - Apple iOS 6.x < 6.1.6 'SSLVerifySignedServerKeyExchange' Certificate Validation Weakness
  • 72667 - Apple iOS 7.x < 7.0.6 'SSLVerifySignedServerKeyExchange' Certificate Validation Weakness
  • 137835 - Cisco IOS Internet Key Exchange Version 2 DoS (cisco-sa-ikev2-9p23Jj2a)
  • 137836 - Cisco IOS XE Internet Key Exchange Version 2 DoS (cisco-sa-ikev2-9p23Jj2a)
  • 137654 - Cisco IOS, IOS XE, and NX-OS Software Security Group Tag Exchange Protocol Denial of Service Vulnerability (cisco-sa-sxp-68TEVzR)
  • 137655 - Cisco IOS, IOS XE, and NX-OS Software Security Group Tag Exchange Protocol Denial of Service Vulnerability (cisco-sa-sxp-68TEVzR)
  • 137656 - Cisco IOS, IOS XE, and NX-OS Software Security Group Tag Exchange Protocol Denial of Service Vulnerability (cisco-sa-sxp-68TEVzR)
  • 99240 - FreeBSD : xen-kernel -- broken check in memory_exchange() permits PV guest breakout (90becf7c-1acf-11e7-970f-002590263bf5)
  • 21580 - freeSSHd Key Exchange Algorithm String Remote Overflow
  • 147193 - Potential exposure to Hafnium Microsoft Exchange targeting
  • 106394 - Juniper Junos Key Exchange Initialization Handling Memory Exhaustion Remote DoS (JSA10837)
  • 106459 - Weak DH Key Exchange Supported (PCI DSS)
  • 21332 - MS06-019: Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803)
  • 61533 - MS12-058: Vulnerabilities in Microsoft Exchange Server WebReady Document Viewing Could Allow Remote Code Execution (2740358)
  • 71320 - MS13-105: Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2915705)
  • 103139 - Security Updates for Exchange (September 2017)
  • 118978 - Microsoft Exchange Server Elevation of Privilege Vulnerability (November 2018)
  • 143566 - Security Update for Microsoft Exchange Server 2010 SP 3 (December 2020)
  • 143557 - Security Updates for Microsoft Exchange Server (December 2020)
  • 133617 - Security Updates for Exchange (February 2020)
  • 142888 - Security Updates for Exchange (November 2020)
  • 140427 - Security Updates for Exchange (September 2020)
  • 148476 - Security Updates for Microsoft Exchange Server (April 2021)
  • 146343 - Security Updates for Microsoft Exchange Server (February 2021)
  • 151664 - Security Updates for Exchange (July 2021)
  • 147024 - Security Update for Microsoft Exchange Server 2010 SP 3 (March 2021)
  • 149393 - Security Updates for Exchange (May 2021)
  • 154999 - Security Updates for Exchange (November 2021)
  • 155962 - Security Updates for Exchange (November 2021) (Remote)
  • 104354 - Trend Micro ScanMail for Exchange 12.x < SP1 Patch 1 CP1755
  • 99399 - Xen Hypervisor XENMEM_exchange Memory Disclosure (XSA-212)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file exchange_cve-2021-26855.nbin version 1.23. For more plugins, visit the Nessus Plugin Library.

Go back to menu.