preface

This paper will introduce the details of the second vulnerability in Xyshell and analyze the utilization ideas.

Introduction to the

This article will introduce the following contents:

◼ CommonAccessToken

◼ Exchange PowerShell Remoting

◼ Utilization analysis

CommonAccessToken

As mentioned in the previous article, ProxyShell Utilization Analysis 1 — CVE-2021-34473, I did not find a way to specify EWS authentication users by parameter, but for Exchange PowerShell Remoting, You can access Exchange PowerShell Remoting by passing in CommonAccessToken to specify an authenticated user

1. Location parameter passing method

Use dnsSpy to open the file C: Program Files Microsoft Exchange Server\V15\Bin\Microsoft.Exchange.Configuration.RemotePowershellBackendCmdletProxyModule.dll

Positioning in order to Microsoft. The Exchange. The Configuration. RemotePowershellBackendCmdletProxy – > RemotePowershellBackendCmdletProxyModule – > CommonAccessToken CommonAccessTokenFromUrl(string user, Uri requestURI, out Exception ex)

The following figure

As you can see, CommonAccessToken is passed as an argument to x-rpS-cat

The way parameters are passed can be seen in the following figure

 

2. com monAccessToken generated

Using dnsSpy open file C: \ Program Files \ Microsoft \ Exchange Server\V15\Bin\Microsoft.Exchange.Net.dll

Positioning in order to Microsoft. The Exchange. Security. Authorization – > CommonAccessToken – > Deserialize (Stream Stream)

The following figure

 

Set a breakpoint at the starting position

Execute command:

 

Find applicationPool: pid MSExchangePowerShellAppPool corresponding process

Attach to the process and wait for a while to capture the correct format

At this point, select binaryReader from Locals and right-click -> Show in Memory Window -> Memory 1, as shown below

 

Look around the memory area and capture the correct format, as shown below

After analysis, the captured content structure is as follows:

 

For the authentication type length, the length is 1 byte, the byte order is little endian, and the content is the authentication type. For example, if the authentication type is basic, the authentication type length is \x05

In Python code implementation, the length of the authentication type can be calculated using the following code:

 

After practical testing, the following tips are used to construct CommonAccessToken:

◾ user name as long as the user is legitimate, you can use the default mailbox

◾sid is the key content and indicates the permission of the user to be authenticated. If the user needs to be authenticated as the Administrator, the format is S-1-5-domain-500

◾ If administrator is disabled in the domain, the authentication is still successful

◾group sid as long as it is available, for example, specify an S-1-1-0

For the format of sid, see:

Docs.microsoft.com/en-US/windo…

3. com monAccessToken validation

The x-rps-cat argument is passed in the right way, and if CommonAccessToken is also valid, the status code 200 will be returned when accessing /Powershell

 

Exchange PowerShell Remoting

1. By default, all domain users can connect to Remote PowerShell

Common commands:

Check whether the user has the permission to access remote PowerShell:

List whether all users have access to Remote PowerShell:

List users who have access to Remote PowerShell:

Delete remote PowerShell access for specified user:

 

Enable remote PowerShell access for specified users:

To execute commands to manage Exchange servers, users need to be members of the Organization Management group

The following commands are used to view members in the Organization Management group:

 

2. Built-in methods to connect to Remote PowerShell

Example Powershell commands are as follows:

 

This method can only initiate connections from hosts in the domain by default, but does not support connections outside the domain

Using the analysis

1. com monAccessToken format

The user SID must be set to Administrator. The default sid is S-1-5-domain-500

You can select siDs for other users, but only if the users are in the “Organization Management” group

2. A problem with using PyPSRP to connect to Remote PowerShell

When you run the Powershell command using PyPSRP, the user cannot be added

This is because passing the value of the Password requires the Powershell command convertto-secureString, which is not supported by Exchange Powershell Remoting

If you choose to execute Powershell scripts, a message is displayed indicating that Powershell scripts cannot be executed due to default Powershell policies

summary

For the second vulnerability cVE-2021-34523 in ProxyShell, it is not difficult to guess the simplest and crude defense method based on the idea of using: Clearing users from the “Organization Management” group prevents an attacker from executing high-privilege Exchange Powershell commands.

Have to learn network security friends can pay attention to private letter I oh!!