A new CVE was reported (CVE-2019-1136) that allows for an attacker to access email mailboxes of any user, if exploited. Now, no known exploits for this exist yet, but any vulnerability that allows for privilege escalation attacks warrants the attention of IT and security teams. Microsoft posted about this vulnerability recently and they had this to say in their official notice:
An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could gain the same rights as any other user of the Exchange server. This could allow the attacker to perform activities such as accessing the mailboxes of other users. Exploitation of this vulnerability requires Exchange Web Services (EWS) to be enabled and in use in an affected environment. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user. To address this vulnerability, Microsoft has changed the way EWS handles NTLM tokens.
How to Find Affected Servers in Censys
We wanted to walk Censys users (particularly the threat hunters and pentesters amongst you) through some methods for using our data to find these vulnerabilities. Here’s how we went about searching for affected servers.
- We grabbed the list of software versions affected by this vulnerability from the Microsoft advisory.
- Then we translated those into build numbers, using this information as a resource.
- With the build numbers and their release dates at hand, we were able to search in Censys to see those servers that are exposed in the X-OWA-Version HTTP header and search that field using the OR to find any affected version.
- Here’s the Report Builder view of those search results, broken down by country: https://is.gd/FNW4T7
This report shows that the vulnerables servers are found predominantly in the United States, and that we find at least 9700 vulnerable servers based on this search approach.
There’s our quick and dirty tutorial for how we found these affected servers so that you can replicate the process in searching our data for future CVEs. The hardest part is always translating the affected version information from the vulnerability writeup to how the software reports that version number. We wrote about this process previously with a Microsoft Sharepoint vulnerability exploration, which may be worth checking out.
We’d love to hear your thoughts, feedback, and suggestions in the conversation on Twitter.