I. VULNERABILITY ------------------------- Microsoft Exchange Server, External Service Interaction (DNS) Exchange Server 2013 CU22 and previous. II. CVE REFERENCE ------------------------- Not Assigned Yet III. VENDOR ------------------------- https://www.microsoft.com IV. DESCRIPTION ------------------------- Microsoft Exchange Server are affected from External Service Interaction(DNS) vulnerability. A remote attacker could force the vulnerable server to send request to any remote server s/he wants. V. TIMELINE ------------------------- 04/11/2019 Vulnerability discovered 05/12/2019 Vendor contacted 17/12/2019 Microsoft replay that “We determined that this behavior is considered to be by design.” VI. CREDIT ------------------------- Alphan Yavas from Biznet Bilisim A.S. VII. Components ------------------------- Affected Component: Path(inurl): /Autodiscover Parameter: Authorization VIII. PROOF OF CONCEPT ------------------------- Request example: GET /Autodiscover HTTP/1.1 Host: owa.zzzzz.com.tr Authorization: Basic abc Affected parameter: Authorization If Authorization is being sent with following format victim server will send out DNS queries to xxx domain. (xxx is the domain which you want to send request from server) xxx\qqq:aaa As you see above, we have a base64 payload for authorization header. If we decode that payload we will see a structure like "domain\username:password". In that case, if we intercept the request and create a new base64 payload and set a different domain then default. (for example xxxx.com) Now, we have a payload like"xxxx.com\qqq:aaa" and encode this payload with base64. While we send our request with this payload, server will send DNS request to xxxx domain.