From eda4b387f8cd0f471496b89f0ab7b4ca642db2fd Mon Sep 17 00:00:00 2001 From: justinhendricksmsft <58621641+justinhendricksmsft@users.noreply.github.com> Date: Sat, 6 Mar 2021 22:56:10 -0800 Subject: [PATCH 1/4] Update http-vuln-cve2021-26855.nse Fix NSE script to work for Exchange 2013 --- Security/http-vuln-cve2021-26855.nse | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Security/http-vuln-cve2021-26855.nse b/Security/http-vuln-cve2021-26855.nse index 8b8ae67372..6a57734686 100644 --- a/Security/http-vuln-cve2021-26855.nse +++ b/Security/http-vuln-cve2021-26855.nse @@ -61,8 +61,9 @@ Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Ex } local response = http.generic_request(host, port, method, path, { header = header }) + local target = response.header['x-calculatedbetarget'] - if response and response.status == 500 and response.body:find('NegotiateSecurityContext', 1, true) then + if response and response.status == 500 and string.match(target,'localhost') then vuln.state = vulns.STATE.VULN end From bd389eb53e60a0a503e30c7c53e4337b35a21cf2 Mon Sep 17 00:00:00 2001 From: Bill Long Date: Sun, 7 Mar 2021 08:22:50 -0600 Subject: [PATCH 2/4] Include .psm1 files in formatting rules --- .build/CodeFormatter.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.build/CodeFormatter.ps1 b/.build/CodeFormatter.ps1 index 01456b92d4..546f625139 100644 --- a/.build/CodeFormatter.ps1 +++ b/.build/CodeFormatter.ps1 @@ -5,7 +5,7 @@ param( $repoRoot = Get-Item "$PSScriptRoot\.." $scriptFiles = Get-ChildItem -Path $repoRoot -Directory | Where-Object { $_.Name -ne ".build" -and - $_.Name -ne "dist"} | ForEach-Object { Get-ChildItem -Path $_.FullName *.ps1 -Recurse } | ForEach-Object { $_.FullName } + $_.Name -ne "dist" } | ForEach-Object { Get-ChildItem -Path $_.FullName -Include "*.ps1", "*.psm1" -Recurse } | ForEach-Object { $_.FullName } $filesFailed = $false foreach ($file in $scriptFiles) { From 1f86ad1da8e51a9b0173d7e80395b212542c256f Mon Sep 17 00:00:00 2001 From: Bill Long Date: Sun, 7 Mar 2021 08:37:38 -0600 Subject: [PATCH 3/4] Add a switch to tell CodeFormatter to just fix the format --- .build/CodeFormatter.ps1 | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.build/CodeFormatter.ps1 b/.build/CodeFormatter.ps1 index 546f625139..f3431bd037 100644 --- a/.build/CodeFormatter.ps1 +++ b/.build/CodeFormatter.ps1 @@ -1,5 +1,7 @@ [CmdletBinding()] param( + [Switch] + $Save ) $repoRoot = Get-Item "$PSScriptRoot\.." @@ -21,6 +23,11 @@ foreach ($file in $scriptFiles) { if ($scriptFormatter.StringContent -cne $scriptFormatter.FormattedScript) { Write-Host ("Failed to follow the same format defined in the repro") git diff ($($scriptFormatter.StringContent) | git hash-object -w --stdin) ($($scriptFormatter.FormattedScript) | git hash-object -w --stdin) + + if ($Save) { + Set-Content -Path $file -Value $scriptFormatter.FormattedScript -Encoding utf8BOM + Write-Host "Saved $file with formatting corrections." + } } if ($null -ne $scriptFormatter.AnalyzedResults) { From ad5bca83668ca52305a61dc1392f7888d97740d8 Mon Sep 17 00:00:00 2001 From: Bill Long Date: Sun, 7 Mar 2021 11:04:36 -0600 Subject: [PATCH 4/4] Save results by default First, this change actually fixes #96. We missed a spot. This change also alters the syntax. There are three ways to run the script: This works as before: `.\Test-ProxyLogon.ps1 -OutPath` This sets -OutPath to $PSScriptRoot\Test-ProxyLogonLogs: `.\Test-ProxyLogon.ps1` This only displays results and does not save them: `.\Test-ProxyLogon.ps1 -DisplayOnly` --- Security/README.md | 4 ++-- Security/Test-ProxyLogon.ps1 | 32 ++++++++++++++++++++++---------- 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/Security/README.md b/Security/README.md index 43a1621766..57cd62236f 100644 --- a/Security/README.md +++ b/Security/README.md @@ -17,9 +17,9 @@ To check the local server only, just run the script: `.\Test-ProxyLogon.ps1 -OutPath $home\desktop\logs` -To display the results without saving them, drop the -Outpath parameter from either example above: +To display the results without saving them, pass -DisplayOnly: -`.\Test-ProxyLogon.ps1` +`.\Test-ProxyLogon.ps1 -DisplayOnly` ## BackendCookieMitigation.ps1 diff --git a/Security/Test-ProxyLogon.ps1 b/Security/Test-ProxyLogon.ps1 index 6064f7301c..02bdde3f34 100644 --- a/Security/Test-ProxyLogon.ps1 +++ b/Security/Test-ProxyLogon.ps1 @@ -16,10 +16,15 @@ param ( [Parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] [string[]] - $ComputerName = $env:COMPUTERNAME, + $ComputerName, + [Parameter()] [string] - $OutPath + $OutPath = "$PSScriptRoot\Test-ProxyLogonLogs", + + [Parameter()] + [switch] + $DisplayOnly ) process { @@ -217,11 +222,14 @@ process { $InputObject, [string] - $OutPath + $OutPath, + + [switch] + $DisplayOnly ) begin { - if ($OutPath) { + if ($OutPath -and -not $DisplayOnly) { New-Item $OutPath -ItemType Directory -Force | Out-Null } } @@ -237,7 +245,7 @@ process { if ($report.Cve26855.Count -gt 0) { Write-Host " [CVE-2021-26855] Suspicious activity found in Http Proxy log!" -ForegroundColor Red - if ($OutPath) { + if (-not $DisplayOnly) { $newFile = Join-Path -Path $OutPath -ChildPath "$($report.ComputerName)-Cve-2021-26855.csv" $report.Cve26855 | Export-Csv -Path $newFile Write-Host " Report exported to: $newFile" @@ -249,7 +257,7 @@ process { if ($report.Cve26857.Count -gt 0) { Write-Host " [CVE-2021-26857] Suspicious activity found in Eventlog!" -ForegroundColor Red Write-Host " $(@($report.Cve26857).Count) events found" - if ($OutPath) { + if (-not $DisplayOnly) { $newFile = Join-Path -Path $OutPath -ChildPath "$($report.ComputerName)-Cve-2021-26857.csv" $report.Cve26857 | Select-Object TimeCreated, MachineName, Message | Export-Csv -Path $newFile Write-Host " Report exported to: $newFile" @@ -262,7 +270,7 @@ process { foreach ($entry in $report.Cve26858) { Write-Host " $entry" } - if ($OutPath) { + if (-not $DisplayOnly) { $newFile = Join-Path -Path $OutPath -ChildPath "$($report.ComputerName)-Cve-2021-26858.log" $report.Cve26858 | Set-Content -Path $newFile Write-Host " Report exported to: $newFile" @@ -275,7 +283,7 @@ process { foreach ($entry in $report.Cve27065) { Write-Host " $entry" } - if ($OutPath) { + if (-not $DisplayOnly) { $newFile = Join-Path -Path $OutPath -ChildPath "$($report.ComputerName)-Cve-2021-27065.log" $report.Cve27065 | Set-Content -Path $newFile Write-Host " Report exported to: $newFile" @@ -284,7 +292,7 @@ process { } if ($report.Suspicious.Count -gt 0) { Write-Host " Other suspicious files found: $(@($report.Suspicious).Count)" - if ($OutPath) { + if (-not $DisplayOnly) { $newFile = Join-Path -Path $OutPath -ChildPath "$($report.ComputerName)-other.csv" $report.Suspicious | Export-Csv -Path $newFile Write-Host " Report exported to: $newFile" @@ -298,5 +306,9 @@ process { } } - $ComputerName | Test-ExchangeProxyLogon | Write-ProxyLogonReport -OutPath $OutPath + if ($DisplayOnly) { + $ComputerName | Test-ExchangeProxyLogon | Write-ProxyLogonReport -DisplayOnly + } else { + $ComputerName | Test-ExchangeProxyLogon | Write-ProxyLogonReport -OutPath $OutPath + } }