New Exchange Zero Day

5 views
Skip to first unread message

Michael B. Smith

unread,
Sep 30, 2022, 10:19:21 AM9/30/22
to ntexc...@googlegroups.com

tl;dr: if you don’t expose IIS on Exchange to the internet, you aren’t at risk. Otherwise you need to remediate quickly.

 

https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

 

Thanks.

 

Regards,

Michael B. Smith

Managing Consultant

Smith Consulting, LLC

 

Steve Saporito

unread,
Sep 30, 2022, 3:31:53 PM9/30/22
to ntexc...@googlegroups.com
If it's helpful I crafted some line commands that can quickly create the Rewrite rule.   So far as I can tell the below creates the exact same rule as the manual procedure.  I used the the procedure from Adam The Automator here . Then used the information in the web.config file on a server with a manually created rule to craft the commands.  The URL rewrite module should be installed on 2019 server as it was required in previous updates.  I don't think the same is true for earlier versions, but provided the module is installed, you should be able to rapidly paste the commands into a PowerShell window on the Exchange server.

If you see any issues with this let me know, as I'll want to backtrack it in my own environment.

# Create the rule:

Add-WebConfigurationProperty -pspath $site -filter "system.webserver/rewrite/rules" -name "." -value @{name='RequestBlockingRule1'patternSyntax='ECMAScript'stopProcessing='True'}

 

# Add/Set the URL match:

Set-WebConfigurationProperty -pspath $site -filter "system.webserver/rewrite/rules/rule[@name='RequestBlockingRule1']/match" -name url -value ".*"

 

# Add/Set the condition:

Add-WebConfigurationProperty -pspath $site -filter "system.webserver/rewrite/rules/rule[@name='RequestBlockingRule1']/conditions" -name "." -value @{input="{REQUEST_URI}"pattern=".*autodiscover\.json.*\@.*Powershell.*"ignoreCase="true"negate="false"}

 

# Add The actions(s)

Set-WebConfigurationProperty -pspath $site -filter "system.webServer/rewrite/rules/rule[@name='RequestBlockingRule1']/action" -name "type" -value "CustomResponse"

Set-WebConfigurationProperty -pspath $site -filter "system.webServer/rewrite/rules/rule[@name='RequestBlockingRule1']/action" -name "statusCode" -value 403

Set-WebConfigurationProperty -pspath $site -filter "system.webServer/rewrite/rules/rule[@name='RequestBlockingRule1']/action" -name "statusReason" -value "Forbidden: Access is denied."

Set-WebConfigurationProperty -pspath $site -filter "system.webServer/rewrite/rules/rule[@name='RequestBlockingRule1']/action" -name "statusDescription" -value "You do not have permission to view this directory or page using the credentials that you supplied."




--
You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntexchange+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/19ddbe2d3be747eb8a7a02962c3fdc52%40smithcons.com.
Reply all
Reply to author
Forward
0 new messages