Microsoft Exchange Client Access Server Information Disclosure

EOL Check


Connect to the open HTTPS port of your exchange server using OpenSSL and the command below.

openssl s_client -host hostname.domain.com -port 443 

Once the connection is made, you will be prompted to input a command.

Paste or input the follows (this will make a GET request to autodiscover.xml using the command below.)

GET /autodiscover/autodiscover.xml HTTP/1.0

You need to hit Enter twice after you typed the GET request; before the server will respond.

This spits out its local IP address under the header WWW-Authenticate: Basic realm=.


Remediation

The rule will match any WWW-Authenticate Header which includes an IP address in the WWW-Authenticate field and replace this with the domain name.

Header Modification

Rule Type: Replace Header
Header Field: WWW-Authenticate
Match String: /(Basic realm=)(\"[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\")/
Replacement: \1"domain.com"

This can then be added to the Virtual Service: Virtual Services > View/Modify Services > Advanced Properties > HTTP Header Modifications > Response Rules.

The internal address is now hidden in all responses and replaced with www.domain.com:

URL Rewrite

IIS server to deny requests made without the Host header set. They achieve this by using the URL rewrite module for IIS.

URL Rewrite Download the URL Rewrite module onto your exchange server and install it.

Last updated