ProxyShell exploits are used to hack Microsoft Exchange servers

Share This Post

ProxyShell is the name of an attack that uses three chained Microsoft Exchange vulnerabilities to perform unauthenticated, remote code execution.

Threat actors are actively exploiting Microsoft Exchange servers using the ProxyShell vulnerability to install backdoors for later access.

Highlights

  • CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)
    CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
    CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)
    Last week, Orange Tsai gave a Black Hat talk about recent Microsoft Exchange vulnerabilities he discovered when targeting the Microsoft Exchange Client Access Service (CAS) attack surface.

  • The three vulnerabilities, listed below, were discovered by Devcore Principal Security Researcher Orange Tsai, who chained them together to take over a Microsoft Exchange server in April’s Pwn2Own 2021 hacking contest.

After watching the talk, security researchers PeterJson and Nguyen Jang published more detailed technical information about successfully reproducing the ProxyShell exploit.

Tsai revealed that the ProxyShell exploit uses Microsoft Exchange’s AutoDiscover feature to perform an SSRF attack as part of the talk.

Soon after, security researcher Kevin Beaumont began seeing threat actors scan for Microsoft Exchange servers vulnerable to ProxyShell.

ProxyShell actively exploited to drop webshells
Today, Beaumont and NCC Group’s vulnerability researcher Rich Warren disclosed that threat actors have exploited their Microsoft Exchange honeypots using the ProxyShell vulnerability.

When exploiting Microsoft Exchange, the attackers are using an initial URL like: https://Exchange-server/autodiscover/autodiscover.json?@foo.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%3F@foo.com

spot_img

Related Posts

The date of the announcement of Xiaomi 12 Ultra was released online

On the other hand, Xiaomi and Leica announced their...

Chris Evans surprises everyone online by updating to a iPhone 6

From the looks of things, it seems Evans chose...

Photo of the Asus ROG Phone 6 published on TENAA displays the entire camera

This might mean that we see multiple variants of...

In a new eShop sale, Nintendo Switch exclusives are discounted

If you happened to miss out on Super Mario...
- Advertisement -spot_img