2021Äê3ÔÂ3ÈÕ£¬£¬£¬�£¬�£¬£¬£¬aggame¹ÙÍøÍøÂçÇå¾²Ó¦¼±ÍŶÓ×·×Ùµ½Î¢ÈíÓÚ2021Äê3ÔÂ2ÈÕ Õë¶ÔExchange·þÎñÆ÷Ðû²¼Á˶à¸ö¸ßΣÎó²îµÄΣº¦Í¨¸æ£¬£¬£¬�£¬�£¬£¬£¬Îó²î±àºÅΪCVE-2021-26855,CVE-2021-26857,CVE-2021-26858,CVE-2021-27065£¬£¬£¬�£¬�£¬£¬£¬ÔÚCVSSÖжÔÕâЩÎó²î¸ø³öÁ˽ÏÁ¿¸ßµÄÆÀ·Ö�¡£�¡£�¡£¡£�¡£¡£ÍþвÐж¯ÕßʹÓÃÕâЩÎó²î»á¼ûÍâµØExchange·þÎñÆ÷£¬£¬£¬�£¬�£¬£¬£¬´Ó¶ø¿ÉÒÔ»á¼ûµç×ÓÓʼþÕÊ»§£¬£¬£¬�£¬�£¬£¬£¬²¢ÔÊÐí×°ÖÃÆäËû¶ñÒâÈí¼þÒÔÔö½ø¶ÔÊܺ¦ÕßÇéÐεĺã¾Ã»á¼û�¡£�¡£�¡£¡£�¡£¡£
¶Ô´Ë£¬£¬£¬�£¬�£¬£¬£¬aggame¹ÙÍøÍøÂçÇå¾²Ó¦¼±ÍŶӽ¨Òé¿í´óÓû§ÊµÊ±½«ExchangeÉý¼¶µ½×îа汾�¡£�¡£�¡£¡£�¡£¡£Óë´Ëͬʱ£¬£¬£¬�£¬�£¬£¬£¬Çë×öºÃ×ʲú×Ô²éÒÔ¼°Ô¤·ÀÊÂÇ飬£¬£¬�£¬�£¬£¬£¬ÒÔÃâÔâÊܺڿ͹¥»÷�¡£�¡£�¡£¡£�¡£¡£
Ó°Ïì°æ±¾
Exchange server£º2010/2013/2016/2019
Exchange online£º²»ÊÜÓ°Ïì�¡£�¡£�¡£¡£�¡£¡£
Îó²îÏêÇé
1. CVE-2021-26855: ·þÎñ¶ËÇëÇóαÔìÎó²î
Exchange ·þÎñÆ÷¶ËÇëÇóαÔ죨SSRF£©Îó²î£¬£¬£¬�£¬�£¬£¬£¬Ê¹ÓôËÎó²îµÄ¹¥»÷ÕßÄܹ»·¢ËÍí§Òâ HTTP ÇëÇó²¢Í¨¹ý Exchange Server ¾ÙÐÐÉí·ÝÑéÖ¤�¡£�¡£�¡£¡£�¡£¡£
2. CVE-2021-26857: ÐòÁл¯Îó²î
Exchange ·´ÐòÁл¯Îó²î£¬£¬£¬�£¬�£¬£¬£¬¸ÃÎó²îÐèÒªÖÎÀíԱȨÏÞ£¬£¬£¬�£¬�£¬£¬£¬Ê¹ÓôËÎó²îµÄ¹¥»÷Õß¿ÉÒÔÔÚ Exchange ·þÎñÆ÷ÉÏÒÔ SYSTEM Éí·ÝÔËÐдúÂë�¡£�¡£�¡£¡£�¡£¡£
3. CVE-2021-26858: í§ÒâÎļþдÈëÎó²î
Exchange ÖÐÉí·ÝÑéÖ¤ºóµÄí§ÒâÎļþдÈëÎó²î�¡£�¡£�¡£¡£�¡£¡£¹¥»÷Õßͨ¹ý Exchange ·þÎñÆ÷½ø ÐÐÉí·ÝÑéÖ¤ºó£¬£¬£¬�£¬�£¬£¬£¬¿ÉÒÔʹÓôËÎó²î½«ÎļþдÈë·þÎñÆ÷ÉϵÄÈκη¾¶�¡£�¡£�¡£¡£�¡£¡£¸ÃÎó²î¿ÉÒÔ ÅäºÏ CVE-2021-26855 SSRF Îó²î¾ÙÐÐ×éºÏ¹¥»÷�¡£�¡£�¡£¡£�¡£¡£
4. CVE-2021-27065: í§ÒâÎļþдÈëÎó²î
Exchange ÖÐÉí·ÝÑéÖ¤ºóµÄí§ÒâÎļþдÈëÎó²î�¡£�¡£�¡£¡£�¡£¡£¹¥»÷Õßͨ¹ý Exchange ·þÎñÆ÷½ø ÐÐÉí·ÝÑéÖ¤ºó£¬£¬£¬�£¬�£¬£¬£¬¿ÉÒÔʹÓôËÎó²î½«ÎļþдÈë·þÎñÆ÷ÉϵÄÈκη¾¶�¡£�¡£�¡£¡£�¡£¡£¸ÃÎó²î¿ÉÒÔ ÅäºÏ CVE-2021-26855 SSRF Îó²î¾ÙÐÐ×éºÏ¹¥»÷�¡£�¡£�¡£¡£�¡£¡£
Çå¾²½¨Òé
΢ÈíÒÑÐû²¼Ïà¹ØÇå¾²¸üУ¬£¬£¬�£¬�£¬£¬£¬Óû§¿É¸ú½øÒÔÏÂÁ´½Ó¾ÙÐÐÉý¼¶:
CVE-2021-26855: https://msrc.microsoft.com/update-guide/vulnerability/CVE2021-26855
CVE-2021-26857: https://msrc.microsoft.com/update-guide/vulnerability/CVE2021-26857
CVE-2021-26858: https://msrc.microsoft.com/update-guide/vulnerability/CVE2021-26858
CVE-2021-27065: https://msrc.microsoft.com/update-guide/vulnerability/CVE2021-27065
¹¥»÷¼ì²â½¨Òé
01 CVE-2021-26855
¿ÉÒÔͨ¹ýÒÔÏÂExchange HttpProxyÈÕÖ¾¾ÙÐмì²â£º
%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy
¿ÉÒÔͨ¹ýÔÚÈÕÖ¾ÌõÄ¿ÖÐËÑË÷AuthenticatedUserÊÇ·ñΪ¿Õ²¢ÇÒAnchorMailboxÊÇ·ñ°üÀ¨ServerInfo?* / *ģʽʶ±ðÎó²îʹÓÃ�¡£�¡£�¡£¡£�¡£¡£ÒÔÏÂPowershell¿ÉÖ±½Ó¾ÙÐÐÈÕÖ¾¼ì²â£¬£¬£¬�£¬�£¬£¬£¬²¢¼ì²éÊÇ·ñÊܵ½¹¥»÷£º
Import-Csv-Path(Get-ChildItem-Recurse-Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy”- Filter ‘*.log’).FullName | Where-Object { $_.AuthenticatedUser -eq ” -and $_.AnchorMailbox -like ‘ServerInfo~*/*’ } | select DateTime, AnchorMailbox
ÈôÊǼì²âµ½ÁËÈëÇÖ£¬£¬£¬�£¬�£¬£¬£¬¿ÉÒÔͨ¹ý¼ì²âAnchorMailbox·¾¶ÖÐÖ¸¶¨Ìض¨Ó¦ÓóÌÐòµÄÈÕÖ¾À´»ñÈ¡¹¥»÷Õß½ÓÄÉÁËÄÄЩÔ˶¯£º
%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging
02 CVE-2021-26858
ͨ¹ýExchangeÈÕÖ¾Îļþ¼ì²âCVE-2021-26858ʹÓãº
ÈÕ־Ŀ¼£º
C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog
¿Éͨ¹ýÒÔÏÂÏÂÁî¾ÙÐпìËÙä¯ÀÀ£¬£¬£¬�£¬�£¬£¬£¬²¢¼ì²éÊÇ·ñÊܵ½¹¥»÷£º
findstr /snip /c:”Download failed and temporary file” “%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log”
03 CVE-2021-26857
ͨ¹ýWindowsÓ¦ÓóÌÐòÊÂÎñÈÕÖ¾¼ì²âCVE-2021-26857ʹÓ㬣¬£¬�£¬�£¬£¬£¬Ê¹Óô˷´ÐòÁл¯¹ýʧ½«½¨Éè¾ßÓÐÒÔÏÂÊôÐÔµÄÓ¦ÓóÌÐòÊÂÎñ£º
ȪԴ£ºMSExchangeͳһÐÂÎÅ
EntryType£º¹ýʧ
ÊÂÎñÐÂÎÅ°üÀ¨£ºSystem.InvalidCastExceptio
¸ÃÎó²îµ¥¶ÀʹÓÃÄѶÈÉԸߣ¬£¬£¬�£¬�£¬£¬£¬¿ÉʹÓÃÒÔÏÂÏÂÁîÔÚÓ¦ÓóÌÐòÊÂÎñÈÕÖ¾ÖÐÅÌÎÊÕâЩÈÕÖ¾ÌõÄ¿£¬£¬£¬�£¬�£¬£¬£¬²¢¼ì²éÊÇ·ñÊܵ½¹¥»÷�¡£�¡£�¡£¡£�¡£¡£
Get-EventLog -LogName Application -Source “MSExchange Unified Messaging” -EntryType Error | Where-Object { $_.Message -like “*System.InvalidCastException*” }
04 CVE-2021-27065
ͨ¹ýÒÔÏÂExchangeÈÕÖ¾Îļþ¼ì²âCVE-2021-27065ʹÓ㬣¬£¬�£¬�£¬£¬£¬
C£º\ Program Files \ Microsoft \ Exchange Server \ V15 \ Logging \ ECP \ Server
ËùÓÐSet- <AppName> VirtualDirectoryÊôÐÔ¶¼²»Ó¦°üÀ¨¾ç±¾�¡£�¡£�¡£¡£�¡£¡£InternalUrlºÍExternalUrlÓ¦¸Ã½öÊÇÓÐÓÃUris�¡£�¡£�¡£¡£�¡£¡£
ͨ¹ýpowershellÏÂÁî¾ÙÐÐÈÕÖ¾¼ì²â£¬£¬£¬�£¬�£¬£¬£¬²¢¼ì²éÊÇ·ñÔâµ½¹¥»÷:
Select-String -Path “$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log” -Pattern ‘Set-.+VirtualDirectory’
Çå¾²·À»¤»º½â
¹¥»÷ÕßʹÓÃÉÏÊöÎó²î¿ÉÒÔ¾ÙÐÐwebshell¡¢¶ñÒâÎļþÉÏ´«ÒÔ¼°¶ñÒâÍøÂçͨѶÐÐΪ�¡£�¡£�¡£¡£�¡£¡£Îª»º½â¹¥»÷ÕßʹÓÃÕâЩÎó²î¾ÙÐкóÐøµÄ¹¥»÷Ðж¯£¬£¬£¬�£¬�£¬£¬£¬½¨Òé¿Í»§ÊµÊ±½ÓÄÉÇå¾²Íø¹Ø²úÆ·¾ÙÐÐʵʱµÄ¹¥»÷·À»¤Ó뻺½â�¡£�¡£�¡£¡£�¡£¡£
|
²úÆ·
|
˵Ã÷
|
|
RG-APT¸ß¼¶Íþв¼ì²âϵͳ
|
aggame¹ÙÍø¸ß¼¶Íþв¼ì²âϵͳ£¨RG-APT£©»ùÓÚ“Îļþ+Á÷Á¿”˫ά¶ÈÆÊÎö¼Ü¹¹�¡£�¡£�¡£¡£�¡£¡£Í¨¹ý¶ÀÍ̵İ˴󽹵ãÒýÇ棬£¬£¬�£¬�£¬£¬£¬×ÛºÏÍþвÇ鱨¡¢ÐÐΪģ×Ó¡¢»úеѧϰ¡¢ÐéÄ⻯ɳÏäºÍÇå¾²ÌØÕ÷¿âµÈ¼ì²âÊÖÒÕÁýÕÖʽ·¢Ã÷¸ß¼¶Î´ÖªÍþв.
|
|
RG-WALLϵÁÐÏÂÒ»´ú·À»ðǽ
|
ÏÂÒ»´ú·À»ðǽÍŽá·À²¡¶¾ÒÔ¼°ÍþвÇ鱨¼ì²â�¡£�¡£�¡£¡£�¡£¡£¼ì²âÖ÷Á÷½©Ä¾È䣬£¬£¬�£¬�£¬£¬£¬aptÑù±¾�¡£�¡£�¡£¡£�¡£¡£
|
|
RG-BDS-TSP
|
aggame¹ÙÍøNFA̽Õëϵͳ£¬£¬£¬�£¬�£¬£¬£¬ÍŽá×îеÄÍþвÇ鱨£¬£¬£¬�£¬�£¬£¬£¬ÊµÊ±ÅбðÍøÂçÖд«ÊäÎļþ£¬£¬£¬�£¬�£¬£¬£¬ÅжÏDZÔÚ²¡¶¾�¡£�¡£�¡£¡£�¡£¡£
|
ÍŶÓÏÈÈÝ
aggame¹ÙÍøÍøÂçCERTÇå¾²Ó¦¼±ÏìÓ¦ÍŶӣ¬£¬£¬�£¬�£¬£¬£¬¸ú×Ù×îл¥ÁªÍøÍþвÊÂÎñ£¬£¬£¬�£¬�£¬£¬£¬Õë¶Ô×îÐÂÇå¾²Îó²î£¬£¬£¬�£¬�£¬£¬£¬APT¹¥»÷ÒÔ¼°½©Ê¬ÍøÂç¼Ò×å×öʵʱ¸ú×ÙºÍÆÊÎö£»�£»£»£»�£»�£»�£»Îª²úÆ·¡¢¿Í»§Ìṩʵʱ¡¢ÓÐÓõÄÇå¾²·À»¤Õ½ÂÔÓë½â¾ö¼Æ»®�¡£�¡£�¡£¡£�¡£¡£
aggame¹ÙÍø“ÍøÂç+Çå¾²”Ö÷ÕŽ«ÍøÂç×°±¸µÄÇå¾²ÄÜÁ¦³ä·ÖÑéÕ¹£¬£¬£¬�£¬�£¬£¬£¬ÍøÂç×°±¸¡¢Çå¾²×°±¸ÓëÇ徲ƽ̨ÖÇÄÜÁª¶¯£¬£¬£¬�£¬�£¬£¬£¬Àë±ðÇå¾²¹Âµº£¬£¬£¬�£¬�£¬£¬£¬×é³ÉÕûÍøÁª¶¯µÄÇå¾²°ü¹Üϵͳ£¬£¬£¬�£¬�£¬£¬£¬ÊµÏÖ·À»¤¡¢Çå¾²Õ¹Íû¡¢ÆÊÎöºÍÏìÓ¦µÈÇå¾²ÎÊÌâ×Ô¶¯»¯È«Á÷³Ì±Õ»·�¡£�¡£�¡£¡£�¡£¡£
?ÈçÄúÐèÒªaggame¹ÙÍøÇå¾²£¬£¬£¬�£¬�£¬£¬£¬ÇëÁôÏÂÄúµÄÁªÏµ·½·¨
Ðû²¼Ê±¼ä£º2021-03-04
