Purpose

With the Hafnium “incidents” and Exchange vulnerabilities I wanted to help people with ruling in or out compromise of their Exchange 2010 environments. At the time of writing, I don’t believe that Hafnium affected Exchange 2010 via the reported kill chain, I believe that BEC would be required but this is a theory, my general view is Exchange 2010 might be ‘safe’ from this kill chain. This is due to the initial stage leveraging CVE-2021-26855 which is an SSRF vulnerability which only affectes the new architecture (2013+). However, this is an unsupported platform so I wanted to help with some baselines and talk about how I would approach ruling compromise in or out (at least with regards to these vulnerabilities). The key impact area is a web shell. I’ve made some baselines to help people look for abnormalities.

Disclaimer

This document was made with limited time and without full Whitebox access to source code and engineering expertise. The areas we are checking for IOCs appear to make logical sense, but the OS and APP (Exchange 2010) are unsupported, and we are not the vendor. So, I am afraid your hunting responsibility is on you, this is just my opinions and thoughts from a very fast analysis. Use at your own risk.

Resources

Lots of sources are available, to the point I have not read all of them. I have however made an exchange 2010 lab with RTM and SP3 and dumped some hash data as a baseline of known OK. Any mods or patches can affect file hashes so please bear that in mind.

Exchange 2010 Hashes

https://github.com/PwnDefend/Exchange2010_hashes

Microsoft Resources

https://github.com/microsoft/CSS-Exchange/tree/main/Security

Considerations for malicious Activity related to web services with Exchange 2010

  • IIS Logs
  • Windows Event Logs – Security Event Logs

IIS Logs Default Location

C:\inetpub\logs\LogFiles\

File type: *.log

IOC types:

  • IP Addresses
  • User Agents

Evidence of Web Shells

Check the following paths for rogue .aspx files:

C:\inetpub\wwwroot\aspnet_client

C:\inetpub\wwwroot\aspnet_client\system_web

And subfolders of C:\inetpub\wwwroot\aspnet_client\

Look for suspicious or rogue .aspx files in this path (and sub paths)

C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess

Key here is to have a known baseline. We have made a few baselines in the LAB:

https://github.com/PwnDefend/Exchange2010_hashes

Considerations

Remember I am showing default paths here, your installation configuration may change this e.g., for IIS or Exchange.

Exchange 2010 Updates

Microsoft have released a Rollup 32 For Exchange 2010 SP3 (KB5000978)

https://www.microsoft.com/en-us/download/details.aspx?id=102774

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b

So just to be clear:

Update Rollup 32 is patched

https://www.microsoft.com/en-us/download/details.aspx?id=102774

Update Rollup 31 is not patched

https://www.microsoft.com/en-us/download/details.aspx?id=102519

Key thoughts

I think to exploit the available vulnerabilities on Exchange 2010 you likely would have to be authenticated as the authentication bypass does not apply due to the CAS architecture.

  • If you are on 2010 it is a good idea to check your IIS paths, logs and exchange installation files against the baselines.
  • Review your security logs
  • Make sure you are patched to Roll up 32
  • Migrate as soon as possible to a supported platform

This is a fast publish, with all these things they can be fast moving. This is what I think at this point in time based on what I have manged to read, investigate and from talking to other people in the industry.

There’s also great work from so many people in the industry. Ollie from NCC has been creating file lists and hashes related to Exchange 2013+ install/update files.

https://github.com/nccgroup/Cyber-Defence/tree/master/Intelligence/Exchange

Leave a Reply

Your email address will not be published. Required fields are marked *