Finding exposed OWA servers vulnerable to proxyshell

A new set of critical vulnerabilities popped-up at this year’s BlackHat edition regarding Microsoft Exchange exploitable via Outlook Web Access. This set of vulnerabilities has been dubbed #proxyshell (aka CVE-2021-34473). GossiTheDog has made available an Nmap script to test for this issue. We have added our own check based on his tool so our customers can detect its existence (or absence) against their own perimeters. But how to find its own perimeter? Let’s dig into that.

 

Identifying datacenters for a given company

If you are a company having its own datacenter(s), this is for you. We do collect whois information into our category:whois dataset. The goal here is to list all subnets belonging to your datacenter(s), then switching to category:vulnscan to identify vulnerable assets.

You can query category:whois in multiple ways: based on netname, organization, full-text search with data field, or, even simpler, starting from a domain name:

category:whois domain:uber.com

For this article, we will only show the first result. We have multiple patterns here which we can use to continue listing all subnets belonging to Uber’s datacenters. The following pivot points can be used: domain (as we already have seen), netname or organization. The ultimate goal is to build a full list of subnet distinct values.

By enumerating all subnet values from the filter domain:uber.com, we already have a few subnets (around 20 according to our data). You can also enumerate different values for the organization field. We have at least two distinct values:

category:whois organization:"Uber Inc"
category:whois organization:"Uber Technologies, Inc"

We can do the same with the netname field. Some sample queries:

category:whois netname:"UBERINC-CN"
category:whois netname:"UTPRODUCTION"

The rational to enumerating different subnets from these different fields is that we may find netnames or organizations bound to Uber but not bound to their domain name. You may also use wildcards to search for matching strings:

category:whois -wildcard:netname,*UBER*
category:whois -wildcard:netname,UT*
category:whois -wildcard:organization,*uber*

And for full-text search:

category:whois data:uber

Once you have built your complete list of subnets, you can switch to category:vulnscan and use an OR query to fetch results to all subnets belonging to targeted organization. Please note that with such wildcards, you may need to filter results a little bit as you may end up finding subnets belonging to some other companies.

Identifying proxyshell vulnerability and all other critical ones

We are currently testing for 13 critical vulnerabilities. No real need to know all of them, you simply have to know how to use the -exists function to check if you are impacted by one of them:

category:vulnscan -exists:cve ?ip:SUBNET1 ?ip:SUBNET2 ?ip:SUBNET3 ?domain:YOURDOMAIN.COM

But if you want to know specifically for proxyshell, just use the tag:proxyshell filter:

category:vulnscan tag:proxyshell ?ip:SUBNET1 ?ip:SUBNET2 ?ip:SUBNET3

And that’s it.

Conclusion

As our data shows, it is easy to enumerate datacenters for a given company. Once you have built this asset inventory, we can just use it in an OR query and add additional filters to identify specific issues.

Another possibility is to use our CLI tool which supports correlation. This one-liner achieves the same goal as we have described at the start of this post:

onyphe -export 'category:whois ?domain:uber.com -orwildcard:netname,UBERINC-* -orwildcard:organization,"Uber *" | uniq subnet | search category:vulnscan ip:$subnet -fields:ip,port,forward,domain,cve,tag -exists:cve'

And no, we don’t have any critical vulnerability using this query for Uber datacenters.

And as for statistics related to proxyshell vulnerability more specifically, maybe you want to know how many potential victims there are. Out of around 240,000 scanned Microsoft Exchange servers, we identified more than 36,000 vulnerable unique IP addresses accounting for more than 48,000 unique domains. 16 unique companies means there are 16 Fortune500, Global500 or CAC40 companies impacted by this issue.

 

 

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.