CVE-2021-26855 ssrf POC
- Exchange Server 2013 Below Cumulative Update 23
- Exchange Server 2016 Below Cumulative Update18
- Exchange Server 2019 Below Cumulative Update 7
This vulnerability does not require a user account or other identity for usage. This POC can be used to gain unauthenticated privledged access to internal user resources. Combine with CVE-2021-27065 for RCE
POC Requirements
- Target System is Vulnerable to CVE-2021-26855
- The target exchange server must be a load balancing server
- The target email address. Note that this address needs to be an email address within the domain, not an email address. There is a difference between the two
- (FQDN) of the internal Exchange server
Check the X-BackEndCookie cookie you will find a SID FQDN can be capture using NTTLM Type2 Messages E-Mail Enumeration is your friend
This POC can perform detection, user enumeration and currently can read message ID's and Headers. In addition it can submit XML. Further capabilities will be added at a later time.
go run CVE-2021-21978.go -h <target ip>
-h string required, target address or domain name
-U string Optional, need to enumerate user list
-d optional, download mail
-l Optional, list the mailing list
-n string is optional, you need to specify a FQDN
-t string Optional, request delay time (default "1")
-u string Optional, specify the target (default "administrator")