{"id":2316,"date":"2022-12-23T15:18:39","date_gmt":"2022-12-23T07:18:39","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=2316"},"modified":"2023-02-13T10:22:44","modified_gmt":"2023-02-13T02:22:44","slug":"%e7%a0%94%e7%a9%b6%e7%99%bc%e7%8f%beplay%e5%8b%92%e7%b4%a2%e8%bb%9f%e9%ab%94%e5%88%a9%e7%94%a8%e6%96%b0%e7%9a%84%e6%89%8b%e6%b3%95%ef%bc%8c%e4%be%86%e7%b9%9e%e9%81%8eexchange%e4%bc%ba%e6%9c%8d","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=2316","title":{"rendered":"\u7814\u7a76\u767c\u73fePLAY\u52d2\u7d22\u8edf\u9ad4\u5229\u7528\u65b0\u7684\u624b\u6cd5\uff0c\u4f86\u7e5e\u904eExchange\u4f3a\u670d\u5668\u4e0aProxyNotShell\u7684\u7de9\u89e3\u63aa\u65bd"},"content":{"rendered":"\n<p>\u6839\u64da CrowdStrike \u7684\u6700<a href=\"https:\/\/www.crowdstrike.com\/blog\/owassrf-exploit-analysis-and-recommendations\/\">\u65b0\u7814\u7a76<\/a>\uff0cPLAY\u52d2\u7d22\u8edf\u9ad4\u6b63\u5728\u4f7f\u7528\u4e00\u7a2e\u65b0\u7684\u5229\u7528\u65b9\u6cd5\u4f86\u7e5e\u904e Microsoft \u7684 ProxyNotShell \u7de9\u89e3\u63aa\u65bd\u4e26\u7372\u5f97\u5c0d Exchange\u4f3a\u670d\u5668\u7684\u521d\u671f\u5b58\u53d6\u6b0a\u9650\u3002ProxyNotShell \u5305\u542b\u5169\u500b Microsoft Exchange Server \u6f0f\u6d1e\uff0c\u9019\u4e9b\u6f0f\u6d1e\u5728 9 \u6708\u516c\u958b\u62ab\u9732\u4e4b\u524d\u5df2\u88ab\u5ee3\u6cdb\u5229\u7528\u3002\u653b\u64ca\u8005\u5c07\u4e00\u500b\u4f3a\u670d\u5668\u7aef\u8acb\u6c42\u507d\u9020 (SSRF) \u6f0f\u6d1e\uff08\u7de8\u865f\u70ba CVE- 2022-41040\uff09\u548c\u4e00\u500b\u4f86\u9060\u7aef\u57f7\u884c\u4efb\u610f\u7a0b\u5f0f\u78bc\uff08\u7de8\u865f\u70ba CVE-2022-41802\uff09\u9023\u7d50\u5728\u4e00\u8d77\uff0c\u4ee5\u7372\u53d6\u5c0d\u7528\u6236\u7cfb\u7d71\u7684\u5b58\u53d6\u6b0a\u9650\u3002\u96d6\u7136 Microsoft \u767c\u5e03\u4e86 Autodiscover \u7aef\u9ede\u7684 URL \u91cd\u5beb\u7de9\u89e3\u63aa\u65bd\u4ee5\u56de\u61c9 ProxyNotShell\uff0c\u4f46PLAY\u52d2\u7d22\u8edf\u9ad4\u653b\u64ca\u8005\u627e\u5230\u4e86\u89e3\u6c7a\u65b9\u6cd5\uff0c\u53ef\u4f7fExchange \u4f3a\u670d\u5668\u8655\u65bc\u53e6\u4e00\u6ce2\u6f5b\u5728\u91cd\u5927\u653b\u64ca\u6d6a\u6f6e\u7684\u4e2d\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"812\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/12\/image-14-1024x812.png\" alt=\"\" class=\"wp-image-2317\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/12\/image-14-1024x812.png 1024w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/12\/image-14-300x238.png 300w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/12\/image-14-768x609.png 768w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/12\/image-14.png 1268w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">CrowdStrike \u5c07 ProxyNotShell \u6f0f\u6d1e\u5229\u7528\u93c8\u8207\u5b83\u767c\u73fe\u7684PLAY\u99ed\u5ba2\u5718\u9ad4\u4f7f\u7528\u7684\u65b0\u6f0f\u6d1e\u5229\u7528\u65b9\u6cd5\u9032\u884c\u4e86\u6bd4\u8f03<\/figcaption><\/figure>\n\n\n\n<p>CrowdStrike\u5728\u5468\u4e8c\u7684Blog\u6587\u7ae0\u4e2d\u8a73\u7d30\u4ecb\u7d39\u4e86\u4f01\u696d\u5c07\u9762\u81e8\u7684\u65b0\u98a8\u96aa\uff0c\u4e26\u6307\u51faPLAY\u52d2\u7d22\u8edf\u9ad4\u80cc\u5f8c\u7684\u99ed\u5ba2\u5718\u9ad4\u5982\u4f55\u5229\u7528 CVE-2022-41080 \u548c ProxyNotShell \u6f0f\u6d1e\u4e4b\u4e00CVE-2022-41082\uff0c\u6feb\u7528\u7db2\u9801\u7248\u90f5\u4ef6\u7ba1\u7406\u4ecb\u9762(Outlook Web Access -OWA) \u5be6\u73fe\u9060\u7aef\u57f7\u884c\u4efb\u610f\u7a0b\u5f0f\u78bc\uff0cCrowdStrike \u5c07\u6b64\u6f0f\u6d1e\u5229\u7528\u65b9\u6cd5\u7a31\u70ba\u201cOWASSRF\u201d\uff0c\u6839\u64da CrowdStrike \u6700\u8fd1\u5c0d\u6578\u500b PLAY\u52d2\u7d22\u8edf\u9ad4\u5165\u4fb5\u7684\u8abf\u67e5\uff0c\u5176\u4e2d\u5171\u540c\u7684\u5165\u53e3\u5411\u91cf\u88ab\u78ba\u8a8d\u70ba Microsoft Exchange\u4f3a\u670d\u5668\u4e0a\u3002\u99ed\u5ba2\u901a\u904e\u9019\u7a2e\u65b0\u7684\u624b\u6cd5OWASSRF\u9032\u884c\u521d\u671f\u5b58\u53d6\u5f8c\uff0c\u99ed\u5ba2\u4fbf\u5229\u7528\u5408\u6cd5\u7684\u9060\u7aef\u5b58\u53d6\u5de5\u5177Plink \u548c AnyDesk \u53ef\u57f7\u884c\u6a94\u6848\u4f86\u7dad\u6301\u5b58\u53d6\uff0c\u4e26\u5728Exchange\u4f3a\u670d\u5668\u4e0a\u57f7\u884c\u53cd\u53d6\u8b49\u6280\u8853\u4ee5\u8a66\u5716\u96b1\u85cf\u4ed6\u5011\u7684\u64ca\u884c\u52d5\u3002<\/p>\n\n\n\n<p>Microsoft \u7684\u6f0f\u6d1e\u6307\u5357\u5c07 CVE-2022-41080 \u6b78\u985e\u70baExchange\u4f3a\u670d\u5668\u7279\u6b0a\u63d0\u5347\u6f0f\u6d1e\uff0c\u5c6c\u65bc\u653b\u64ca\u8907\u96dc\u6027\u4f4e\u4e14\u7121\u9700\u8207\u7528\u6236\u4e92\u52d5\u3002\u7531\u65bc CVE-2022-41080 \u8207 CVE-2022-41040 \u5177\u6709\u76f8\u540c\u7684CVSS\u8a55\u7d1a\uff0c\u4e26\u4e14\u88ab Microsoft \u6a19\u8a18\u70ba\u6709\u53ef\u80fd\u88ab\u5229\u7528\uff0c\u56e0\u6b64 CrowdStrike \u8a55\u4f30\u8a72\u65b0\u6280\u8853\u5f88\u53ef\u80fd\u8207\u8a72\u6f0f\u6d1e\u6709\u95dc\u3002<\/p>\n\n\n\n<p>\u96a8\u5f8c\uff0cCrowdStrike \u78ba\u8a8d CVE-2022-41080 \u4e26\u672a\u88ab\u5229\u7528\u4f86\u7372\u5f97\u521d\u671f\u5b58\u53d6\u6b0a\u9650\uff0c\u800c\u662f\u8207 ProxyNotShell \u6f0f\u6d1e\u7d50\u5408\u4ee5\u7e5e\u904e Microsoft \u7684\u7de9\u89e3\u63aa\u65bd\u3002\u65b0\u7684\u5229\u7528\u65b9\u6cd5\u7e5e\u904e\u4e86\u5fae\u8edf\u70ba\u56de\u61c9ProxyNotShell \u800c\u63d0\u4f9b\u7684\u81ea\u52d5\u767c\u73fe\u7aef\u9ede\u7684URL \u91cd\u5beb\u7de9\u89e3\u63aa\u65bd\uff0c\u9019\u662f\u4e00\u7a2e\u65b0\u7a4e\u7684\u3001\u4ee5\u524d\u672a\u8a18\u9304\u7684\u65b9\u5f0f\uff0c\u53ef\u4ee5\u901a\u904eOWA \u524d\u7aef\u7aef\u9ede\u5b58\u53d6PowerShell \u9060\u7aef\u670d\u52d9\uff0c\u800c\u4e0d\u662f\u5229\u7528\u81ea\u52d5\u767c\u73fe\u7aef\u9ede\u3002<\/p>\n\n\n\n<p>\u53e6\u4e00\u5bb6\u8cc7\u5b89\u516c\u53f8Rapid 7\uff0c\u5728\u5468\u4e09\u767c\u5e03\u7684<a href=\"https:\/\/www.rapid7.com\/blog\/post\/2022\/12\/21\/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce\/\" target=\"_blank\" rel=\"noreferrer noopener\">\u4e00\u7bc7\u535a\u5ba2\u6587\u7ae0<\/a>\u4e2d\u8868\u793a\uff0c\u5df2\u7d93\u89c0\u5bdf\u5230\u901a\u904e\u4e0a\u8ff0OWASSRF\u6f0f\u6d1e\u5229\u7528\u93c8\u7372\u5f97\u9060\u7aef\u57f7\u884cExchange\u4f3a\u670d\u5668\u7684\u5165\u4fb5\u6578\u91cf\u6709\u6240\u589e\u52a0\uff0c Rapid7 \u6566\u4fc3\u7528\u6236\u7acb\u5373\u5b89\u88dd\u6700\u65b0\u7684 Exchange \u66f4\u65b0\uff0c\u4e26\u8b66\u544a\u4ed6\u5011\u4e0d\u8981\u4f9d\u8cf4 Microsoft \u91cd\u5beb\u7de9\u89e3\u63aa\u65bd\uff0c\u50c5\u4f7f\u7528 Microsoft \u7de9\u89e3\u63aa\u65bd\u7684\u4f3a\u670d\u5668\u78ba\u5be6\u5bb9\u6613\u53d7\u5230\u653b\u64ca\uff0c\u4e26\u6307\u51fa\u5df2\u4fee\u88dc\u7684\u4f3a\u670d\u5668\u4e0d\u5bb9\u6613\u53d7\u5230\u653b\u64ca\u3002\u6b64\u5916\uff0c\u5728\u6e2c\u8a66\u5df2\u4fee\u88dc\u548c\u672a\u4fee\u88dc\u7684\u7cfb\u7d71\u5f8c\uff0cCrowdStrike \u6566\u4fc3\u7d44\u7e54\u61c9\u70ba Exchange \u7cfb\u7d71\u5b89\u88dd\u540d\u70ba <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/released-november-2022-exchange-server-security-updates\/ba-p\/3669045\">KB5019758<\/a> \u7684\u4fee\u88dc\u7a0b\u5f0f\uff0c\u4ee5\u9632\u6b62\u88ab\u5229\u7528\u3002\u5982\u679c\u7d44\u7e54\u7121\u6cd5\u7acb\u5373\u4fee\u88dc\uff0c\u5efa\u8b70\u5b8c\u5168\u7981\u7528\u7db2\u9801\u7248\u90f5\u4ef6\u7ba1\u7406\u4ecb\u9762(OWA)\u3002<\/p>\n\n\n\n<p>\u00a0&#8220;\u8f49\u8cbc\u3001\u5206\u4eab\u6216\u5f15\u7528\u6587\u7ae0\u5167\u5bb9\uff0c\u8acb\u8a3b\u660e\u51fa\u8655\u70ba\u7ae3\u76df\u79d1\u6280\u00a0<a href=\"https:\/\/www.billows.com.tw\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.billows.com.tw<\/a>\u00a0, \u4ee5\u514d\u89f8\u6cd5&#8221;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u6839\u64da CrowdStrike \u7684\u6700\u65b0\u7814\u7a76\uff0cPLAY\u52d2\u7d22\u8edf\u9ad4\u6b63\u5728\u4f7f\u7528\u4e00\u7a2e\u65b0\u7684\u5229\u7528\u65b9\u6cd5\u4f86\u7e5e\u904e Microsoft  <a class=\"read-more\" href=\"https:\/\/blog.billows.com.tw\/?p=2316\">READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[234],"class_list":["post-2316","post","type-post","status-publish","format-standard","hentry","category-6","tag-play"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/2316","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2316"}],"version-history":[{"count":2,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/2316\/revisions"}],"predecessor-version":[{"id":2378,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/2316\/revisions\/2378"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2316"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2316"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2316"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}