False negatives in results for some Exchange versions (http-vuln-cve2021-26855.nse)

[hrbrmstr]

I haven't done a complete analysis, but the following is a header from an Exchange 2013 server (I won't put the IP here as it's very likely a real server, but I've shared it with @GossiTheDog:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
--
  | <!-- Copyright (c) 2011 Microsoft Corporation.  All rights reserved. -->
  | <!-- OwaPage = ASP.auth_logon_aspx -->
  |  
  | <!-- {57A118C6-2DA9-419d-BE9A-F92B0F9A418B} -->
  | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
  | <html>
  | <head>
  | <meta http-equiv="X-UA-Compatible" content="IE=10" />
  | <link rel="shortcut icon" href="/owa/auth/15.0.1395/themes/resources/favicon.ico" type="image/x-icon">
  | <meta http-equiv="Content-Type" content="text/html; CHARSET=utf-8">
  | <meta name="Robots" content="NOINDEX, NOFOLLOW">
  | <title>Outlook Web App</title>
  | <style>
  | @font-face {
  | font-family: "Segoe UI WPC";
  | src: url("/owa/auth/15.0.1395/themes/resources/segoeui-regular.eot?#iefix") format("embedded-opentype"),
  | url("/owa/auth/15.0.1395/themes/resources/segoeui-regular.ttf") format("truetype");
  | }
  |  
  | @font-face {
  | font-family: "Segoe UI WPC Semilight";
  | src: url("/owa/auth/15.0.1395/themes/resources/segoeui-semilight.eot?#iefix") format("embedded-opentype"),
  | url("/owa/auth/15.0.1395/themes/resources/segoeui-semilight.ttf") format("truetype");
  | }
  |  
  | @font-face {
  | font-family: "Segoe UI WPC Semibold";
  | src: url("/owa/auth/15.0.1395/themes/resources/segoeui-semibold.eot?#iefix") format("embedded-opentype"),
  | url("/owa/auth/15.0.1395/themes/resources/segoeui-semibold.ttf") format("truetype");
  | }
  | </style>
  | <style>/*Copyright (c) 2003-2006 Microsoft Corporation.  All rights reserved.*/

That's an "Exchange Server 2013 Cumulative Update 21 (CU21)" server and the NSE returns:

$ nmap -p 443 --script http-vuln-cve2021-26855 XXX.XXX.XXX.XXX

Starting Nmap 7.60 ( https://nmap.org ) at 2021-03-07 01:25 UTC
Nmap scan report for XXXXXXXX (XXX.XXX.XXX.XXX)
Host is up (0.19s latency).

PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 2.19 seconds

Is it really possible some old, outdated versions of Exchange are not vulnerable?

[GossiTheDog]

@bill-long appears it may give a different error code on 2013

[hrbrmstr]

I shot some more IPs (privately) in the event the redacted one above is a rly bad honeypot. I can provide as many as y'all need privately.

[wvu]

Here's the full response:

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/8.0
request-id: acc04052-3c20-4618-a3e6-576a4878d890
Set-Cookie: ClientId=JBXW0OWZZDBRDW; expires=Mon, 07-Mar-2022 01:58:13 GMT; path=/; HttpOnly
X-CalculatedBETarget: localhost
X-CalculatedBETarget: localhost
X-FEServer: [redacted]
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sun, 07 Mar 2021 01:58:13 GMT
Content-Length: 1208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>500 - Internal server error.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>500 - Internal server error.</h2>
  <h3>There is a problem with the resource you are looking for, and it cannot be displayed.</h3>
 </fieldset></div>
</div>
</body>
</html>

[wvu]

So same code, different body.

[bill-long]

Thanks, I'm working on looping in the team that did the nmap work.

[justinhendricksmsft]

It's fixed with this PR that now looks at the X-CalculatedBETarget response header: https://github.com/microsoft/CSS-Exchange/pull/114

[hrbrmstr]

Are Exchange 2007 systems vulnerable? I did a test against a small subset of Exchange 2007 systems and the script does not identify them as vulnerable. (shared IPs privately again)

[imennodenis]

I've got same result as @hrbrmstr checking Exchange 2016 CU14:

nmap -p 443 --script http-vuln-cve2021-26855 x.x.x.x

PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 1.03 seconds

What does that mean?

That Exchange server was already updated as I know, so I cannot do some additional tests anymore.

By the way, on a fully updated Exchange server nmap shows absolutely the same result. Maybe it should say something like "NOT VULNARABLE".

[GossiTheDog]

That means it is not vulnerable (in reference to last post).

On Sun, 7 Mar 2021 at 11:53, arddg notifications@github.com wrote:

I've got same result as @hrbrmstr https://github.com/hrbrmstr checking Exchange 2016 CU14:

nmap -p 443 --script http-vuln-cve2021-26855 x.x.x.x

PORT STATE SERVICE 443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 1.03 seconds

What does that mean?

That Exchange server was already updated as I know, so I cannot do some additional tests anymore.

By the way, on a fully updated Exchange server nmap shows absolutely the same result. Maybe it should say something like "NOT VULNARABLE".

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/microsoft/CSS-Exchange/issues/107#issuecomment-792265060, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIGBLH5E2TOAMTWEGB6UEH3TCNSNLANCNFSM4YXKBOGA .

[imennodenis]

@GossiTheDog, Just to clarify, I was talking about same results on Exchange 2016 CU14 and Exchange 2016 CU19 with all updates installed. Are you saying that Exchange 2016 CU14 is not vulnerable too?

[tooolbox]

Are Exchange 2007 systems vulnerable? I did a test against a small subset of Exchange 2007 systems and the script does not identify them as vulnerable. (shared IPs privately again)

Per proxylogon.com, Exchange 2007 and 2010 are not affected as the Client Access Service has a different architecture.

[GossiTheDog]

@bill-long @justinhendricksmsft I think @arddg above has a point, it looks like if you point the script against Exchange 2016 CU14 (may other versions, haven't checked) it says not vulnerable - but there's no SU for 2016 CU14.

I'm pondering if it's worth building code to check short build number as an additional check.

[justinhendricksmsft]

@GossiTheDog @arddg Do you happen to have an example redacted http response? I just installed Exchange 2016 CU14 and it worked so it must be something with the setup.

[asheroto]

What will is show if it is vulnerable? There needs to be a better explanation in the notes. :-)