I. VULNERABILITY ------------------------- Rollup 18 for Microsoft Exchange Server 2010 SP3 Server Side Request Forgery (SSRF) II. CVE REFERENCE ------------------------- CVE-2018-16793 III. VENDOR ------------------------- https://www.microsoft.com IV. TIMELINE ------------------------ 19/06/2018 Vulnerability discovered 22/06/2018 Vendor contacted 15/08/2018 Microsoft replay that Update rollup 18 is out of date. V. CREDIT ------------------------- Alphan Yavas VI. DESCRIPTION ------------------------- Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions are affected from SSRF vulnerability. A remote attacker could force the vulnerable server to send request to any remote server s/he wants. VII. PROOF OF CONCEPT ------------------------- Affected Component: Path(inurl): /owa/auth/logon.aspx Parameter: username Login page of OWA affected from SSRF vulnerability. If username is being sent with following format victim server will send out DNS queries to xxx domain. (xxx is the domain which you want to send request from server) username: ssrf.xxx.com\pentest password: (doesn't matter) If you want to listen this request you must listen with tcpdump to dns port your own server(xxx) and you can see callback request.
