Threat status: Impending
CVE-2020-24085 is a Microsoft Exchange Server spoofing vulnerability released as part of Microsoft’s February Patch Tuesday advisories. The vulnerability allows remote attackers to escalate privileges on affected installations of Microsoft Exchange Server; successful exploitation requires authentication and user interaction (visiting a malicious page). Security researcher Steven Seeley, who discovered the vulnerability, has had a public proof-of-concept exploit available since February 15, 2021.
On Tuesday, March 2, 2021, Microsoft and Volexity released details on four actively exploited zero-day vulnerabilities in Microsoft Exchange being leveraged to deliver chopper webshells and other malware by a threat actor they track as “hafnium.” While there is no evidence currently that CVE-2021-24085 is being utilized in the same campaign, the increase in exploits targeting Microsoft Exchange further underscores the need to upgrade Exchange servers to the latest version (as of Tuesday, March 2, 2021) as soon as possible.
Affected products
- Microsoft Exchange Server 2019 Cumulative Update 7 and later
- Microsoft Exchange Server 2016 Cumulative Update 18 and later
Rapid7 analysis
Exchange servers are frequent, high-value attack targets whose patch rates often lag behind attacker capabilities.
As part of the PoC for CVE-2021-24085, the attacker will search for a specific token using a request to /ecp/DDI/DDIService.svc/GetList. If that request is successful, the PoC moves on to writing the desired token to the server’s filesystem with the request /ecp/DDI/DDIService.svc/SetObject. At that point, the token is available for downloading directly by an authenticated user. The PoC uses a download request to /ecp/poc.png (though the name could be anything) and may be recorded in the IIS logs themselves attached to the IP of the initial attack.
Indicators of compromise would include the requests to both /ecp/DDI/DDIService.svc/GetList and /ecp/DDI/DDIService.svc/SetObject, especially if those requests were associated with an odd user agent string like python. Because the PoC utilizes SetObject to write the privileged token to the server’s filesystem in a location readable by an authenticated user, it would be beneficial for incident responders to examine any files that were created around the time of the requests, as one of those files could be the access token and should be removed or placed in a secure location. It is also possible that responders could discover the file name in question by checking to see if the original attacker’s IP downloaded any files.
