Description

This PR adds a Nuclei template for detecting CVE-2018-8581, a critical SSRF vulnerability in Microsoft Exchange Server that can lead to privilege escalation through NTLM relay attacks.

/claim #14576

Vulnerability Details

• CVE ID: CVE-2018-8581
• Severity: High (CVSS 8.8)
• Affected Products: Microsoft Exchange Server 2010, 2013, 2016, 2019
• CISA KEV: Yes (actively exploited)
• EPSS Score: 90.83%

Template Features

✅ Two-stage detection:

1. First request: Unauthenticated check for Exchange Server presence
2. Second request: Authenticated SSRF test using EWS PushSubscription

✅ OAST Integration: Uses interactsh for out-of-band detection of SSRF

✅ Comprehensive Matchers:

• Detects Exchange Server via headers (X-OWA-Version, X-ExchangeServer)
• Confirms SSRF by checking for successful subscription response
• Validates interactsh callback

✅ Extractors:

• Exchange version information
• Detailed vulnerability confirmation messages

✅ Proper Metadata:

• CVSS metrics and score
• CWE classification (CWE-918: SSRF)
• EPSS score
• Shodan query
• KEV tag

How It Works

1. Detection Phase: Checks if target is running Exchange Server by accessing /EWS/Exchange.asmx
2. Exploitation Phase: If credentials are provided, sends a SOAP request to create a PushSubscription pointing to interactsh URL
3. Verification: Confirms vulnerability if Exchange server makes an HTTP callback to the interactsh server

Testing

The template requires valid Exchange credentials to fully test the SSRF vulnerability. Without credentials, it will only detect the presence of Exchange Server.

Usage:

# Basic detection (no auth)
nuclei -t http/cves/2018/CVE-2018-8581.yaml -u https://exchange.example.com

# Full SSRF test (with auth)
nuclei -t http/cves/2018/CVE-2018-8581.yaml -u https://exchange.example.com -var username=user@domain.com -var password=P@ssw0rd

References

• https://nvd.nist.gov/vuln/detail/CVE-2018-8581
• https://www.cyber.gc.ca/en/alerts/microsoft-exchange-privilege-escalation
• https://github.com/Ridter/Exchange2domain
• https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Improvements Over Existing Submissions

• Two-stage detection (unauthenticated + authenticated)
• Better error handling with req-condition
• More comprehensive matchers and extractors
• Detailed documentation and references
• Proper CVSS and EPSS scores
• KEV tag included

Checklist

• Template follows Nuclei template guidelines
• Proper YAML formatting
• Includes all required metadata
• Uses OAST for reliable detection
• Includes comprehensive references
• Tagged with appropriate labels (cve, cve2018, microsoft, exchange, ssrf, kev)
• Includes remediation guidance

Bounty Claim

/claim #14576