Skip to content
Loading...
Detect Microsoft Exchange RCE CVE-2021-28480 with our Network Vulnerability Scanner

ProxyLogon Scanner

Detect Microsoft Exchange servers vulnerable to Server-Side Request Forgery (CVE-2021-26855).

Sample Report | Use Cases | Technical Details

Need to see the full results?

Unlock the full power and feature of our ProxyLogon Scanner! Compare pricing plans and discover more tools and features.

Sample Report

Here is a ProxyLogon Scanner sample report:

  • Contains evidence for the discovered vulnerability (HTTP request and response)
  • Shows risk details and exploit information
  • Includes recommendations for fixing the issue

Download Sample Report

Sample report

ProxyLogon Scanner - Use Cases

The tool can be used to check if the email server (Microsoft Exchange) is affected by CVE-2021-26855, a SSRF vulnerability which can lead to disclosure of sensitive information and to Remote Code Execution.

Technical Details


About

CVE-2021-26855 is a Server-Side Request Forgery (SSRF) vulnerability in the Microsoft Exchange Server. It can be used by an unauthenticated remote attacker to determine the Exchange service initiate HTTPS requests to arbitrary locations. These requests are performed on behalf of the Exchange service, thus they are authenticated and contain access tokens and other sensitive data.
As a direct result, an attacker could forge requests to read emails of the users configured on that email server.

A forged request contains interesting pieces of data like X-Sourcecafeserver, X-Commonaccesstoken, ClientId, etc. Here is how a full HTTP request initiated by the Exchange server looks like:


When exploited in conjunction with another vulnerability, such as CVE-2021-27065 (post-authentication file write), this vulnerability can lead to unauthenticated Remote Code Execution on the Exchange server. This attack chain was named ProxyLogon.

The ProxyLogon attack was massively used to exploit a large number of Microsoft Exchange servers exposed to the Internet by creating web shells in various locations on the file system.
We recommend performing an in depth review of vulnerable Exchange servers in order to determine if the server was already exploited by malicious actors.
Microsoft has released a tool to check if there are new files present on the exchange server:
https://github.com/microsoft/CSS-Exchange/tree/main/Security

More details about this vulnerability:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/


Parameters

Parameter Description
Target This is the URL of the target Outlook Web Access (OWA) server.


How it works

The scanner attempts to trigger the SSRF vulnerability by determining the target Exchange server read a remote file located at:
http://pentest-tools.com/file.txt
If the file contents is found in the server's HTTP response, the target is declared as vulnerable.