Merge pull request #120 from microsoft/main

Release

.build/CodeFormatter.ps1

@@ -1,11 +1,13 @@
 [CmdletBinding()]
 param(
+    [Switch]
+    $Save
 )
 
 $repoRoot = Get-Item "$PSScriptRoot\.."
 
 $scriptFiles = Get-ChildItem -Path $repoRoot -Directory | Where-Object { $_.Name -ne ".build" -and
-    $_.Name -ne "dist"} | ForEach-Object { Get-ChildItem -Path $_.FullName *.ps1 -Recurse } | ForEach-Object { $_.FullName }
+    $_.Name -ne "dist" } | ForEach-Object { Get-ChildItem -Path $_.FullName -Include "*.ps1", "*.psm1" -Recurse } | ForEach-Object { $_.FullName }
 $filesFailed = $false
 
 foreach ($file in $scriptFiles) {
@@ -21,6 +23,11 @@ foreach ($file in $scriptFiles) {
         if ($scriptFormatter.StringContent -cne $scriptFormatter.FormattedScript) {
             Write-Host ("Failed to follow the same format defined in the repro")
             git diff ($($scriptFormatter.StringContent) | git hash-object -w --stdin) ($($scriptFormatter.FormattedScript) | git hash-object -w --stdin)
+
+            if ($Save) {
+                Set-Content -Path $file -Value $scriptFormatter.FormattedScript -Encoding utf8BOM
+                Write-Host "Saved $file with formatting corrections."
+            }
         }
 
         if ($null -ne $scriptFormatter.AnalyzedResults) {

Security/README.md

@@ -17,9 +17,9 @@ To check the local server only, just run the script:
 
 `.\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs`
 
-To display the results without saving them, drop the -Outpath parameter from either example above:
+To display the results without saving them, pass -DisplayOnly:
 
-`.\Test-ProxyLogon.ps1`
+`.\Test-ProxyLogon.ps1 -DisplayOnly`
 
 ## BackendCookieMitigation.ps1
 

Security/Test-ProxyLogon.ps1

@@ -16,10 +16,15 @@
 param (
     [Parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
     [string[]]
-    $ComputerName = $env:COMPUTERNAME,
+    $ComputerName,
 
+    [Parameter()]
     [string]
-    $OutPath
+    $OutPath = "$PSScriptRoot\Test-ProxyLogonLogs",
+
+    [Parameter()]
+    [switch]
+    $DisplayOnly
 )
 
 process {
@@ -217,11 +222,14 @@ process {
             $InputObject,
 
             [string]
-            $OutPath
+            $OutPath,
+
+            [switch]
+            $DisplayOnly
         )
 
         begin {
-            if ($OutPath) {
+            if ($OutPath -and -not $DisplayOnly) {
                 New-Item $OutPath -ItemType Directory -Force | Out-Null
             }
         }
@@ -237,7 +245,7 @@ process {
 
                 if ($report.Cve26855.Count -gt 0) {
                     Write-Host "  [CVE-2021-26855] Suspicious activity found in Http Proxy log!" -ForegroundColor Red
-                    if ($OutPath) {
+                    if (-not $DisplayOnly) {
                         $newFile = Join-Path -Path $OutPath -ChildPath "$($report.ComputerName)-Cve-2021-26855.csv"
                         $report.Cve26855 | Export-Csv -Path $newFile
                         Write-Host "  Report exported to: $newFile"
@@ -249,7 +257,7 @@ process {
                 if ($report.Cve26857.Count -gt 0) {
                     Write-Host "  [CVE-2021-26857] Suspicious activity found in Eventlog!" -ForegroundColor Red
                     Write-Host "  $(@($report.Cve26857).Count) events found"
-                    if ($OutPath) {
+                    if (-not $DisplayOnly) {
                         $newFile = Join-Path -Path $OutPath -ChildPath "$($report.ComputerName)-Cve-2021-26857.csv"
                         $report.Cve26857 | Select-Object TimeCreated, MachineName, Message | Export-Csv -Path $newFile
                         Write-Host "  Report exported to: $newFile"
@@ -262,7 +270,7 @@ process {
                     foreach ($entry in $report.Cve26858) {
                         Write-Host "   $entry"
                     }
-                    if ($OutPath) {
+                    if (-not $DisplayOnly) {
                         $newFile = Join-Path -Path $OutPath -ChildPath "$($report.ComputerName)-Cve-2021-26858.log"
                         $report.Cve26858 | Set-Content -Path $newFile
                         Write-Host "  Report exported to: $newFile"
@@ -275,7 +283,7 @@ process {
                     foreach ($entry in $report.Cve27065) {
                         Write-Host "   $entry"
                     }
-                    if ($OutPath) {
+                    if (-not $DisplayOnly) {
                         $newFile = Join-Path -Path $OutPath -ChildPath "$($report.ComputerName)-Cve-2021-27065.log"
                         $report.Cve27065 | Set-Content -Path $newFile
                         Write-Host "  Report exported to: $newFile"
@@ -284,7 +292,7 @@ process {
                 }
                 if ($report.Suspicious.Count -gt 0) {
                     Write-Host "  Other suspicious files found: $(@($report.Suspicious).Count)"
-                    if ($OutPath) {
+                    if (-not $DisplayOnly) {
                         $newFile = Join-Path -Path $OutPath -ChildPath "$($report.ComputerName)-other.csv"
                         $report.Suspicious | Export-Csv -Path $newFile
                         Write-Host "  Report exported to: $newFile"
@@ -298,5 +306,9 @@ process {
         }
     }
 
-    $ComputerName | Test-ExchangeProxyLogon | Write-ProxyLogonReport -OutPath $OutPath
+    if ($DisplayOnly) {
+        $ComputerName | Test-ExchangeProxyLogon | Write-ProxyLogonReport -DisplayOnly
+    } else {
+        $ComputerName | Test-ExchangeProxyLogon | Write-ProxyLogonReport -OutPath $OutPath
+    }
 }

Security/http-vuln-cve2021-26855.nse

@@ -61,8 +61,9 @@ Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Ex
   }
 
   local response = http.generic_request(host, port, method, path, { header = header })
+  local target = response.header['x-calculatedbetarget']
 
-  if response and response.status == 500 and response.body:find('NegotiateSecurityContext', 1, true) then
+  if response and response.status == 500 and string.match(target,'localhost') then
     vuln.state = vulns.STATE.VULN
   end