# What Happened

Security researcher Janggggg ([@testanull ](https://twitter.com/testanull)on Twitter) published a proof-of-concept exploit for CVE-2021-42321, a remote code execution (RCE) vulnerability in Microsoft Exchange that affects on-premises servers running Microsoft Exchange 2016 and 2019, including those using Exchange Hybrid mode.

This exploit enables authenticated threat actors to execute code remotely on vulnerable servers and launch an attack.

Microsoft’s November 2021 Patch Tuesday addresses the vulnerability, so administrators should patch immediately.

## How Bad is This?

A remote code execution vulnerability is always severe because it enables potential threat actors to launch attacks without local access to a machine. Microsoft [issued a base metric score](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321) of 8.8, which notes high severity.

This vulnerability essentially is a bug in how Exchange allowed certain data to be stored in the [BinaryData section of a UserConfiguration on a folder](https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398#file-cve-2021-42321_poc-py-L122). When a UserConfiguration is set with a payload in the BinaryData and then the attacker requests a [ClientAccessToken](https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398#file-cve-2021-42321_poc-py-L136-L156), it triggers a deserialization bug which results in execution of the payload in BinaryData.

Fortunately, Microsoft’s November patch will mitigate the risk. Plus, threat actors must be authenticated users to take advantage of the bug.

## What Should I Do?

Administrators should immediately install the patches issued in Microsoft’s November Patch Tuesday.

Admins running Exchange servers should also check to see if attackers have attempted to exploit them. Admins can run the following PowerShell query on each server to check for specific events in the Event Log, [according to Bleeping Computer:](https://www.bleepingcomputer.com/news/security/exploit-released-for-microsoft-exchange-rce-bug-patch-now/)

Get-EventLog -LogName Application -Source “MSExchange Common” -EntryType Error | Where-Object { $_.Message -like “*BinaryFormatter.Deserialize*” }

## How To Detect

In the end this vulnerability and attack does not differ much from previous in 2021. The attack itself has a set number of steps that must be run against an authenticated user, update specific configurations on that user, and then execute the actual vulnerability against the host itself.

This PoC attack requires execution of 4 POSTs in a chain against Exchange with an authenticated user to be successful. It is possible to detect this attack using the following logic, although it may have false positives without some tuning in your environment.

4 POSTs to /ews/exchange.asmx on IIS from a Public IP with User-Agent ExchangeServicesClient/15.01.2308.008 – over a short period of time. This detection will depend heavily on the User Agents seen in your environment and may result in false positives:

src_ip = <Public IP>
AND agent=”ExchangeServicesClient/15.01.2308.008″
AND url=”/EWS/Exchange.asmx”
AND method=”POST”

Otherwise we recommend using Sysmon to detect the same as other Exchange vulnerabilities. By their nature, they require the IIS/Exchange service w3wp.exe to be leveraged to pivot into another process. In these situations we expect to see patterns out of Sysmon process triggering such as:

user LIKE “%DefaultAppPool%”
AND parent_process_name LIKE “%w3wp.exe%”
AND process_name LIKE “%cmd%”

This will tell you whenever your w3wp (IIS) service is spawning command shells and/or similar processes within the process_name depending on the pivot you’re attempting to identify.

We will update this post as we find out more information. We’re also hosting [a livestream at 3:30 PM ET](https://www.blumira.com/webinar/mitigate-windows-vulnerabilities/) to answer any questions about this (as well as the [zero-day privilege elevation vuln](https://www.reddit.com/r/cybersecurity/comments/r0hmkc/zeroday_windows_vulnerability_enables_threat/)) and give updates.

[*This was originally published on Blumira’s blog.*](https://www.blumira.com/cve-2021-42321/)

Share This Discussion

Leave a Comment

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.