New attack against Microsoft Exchange servers

August 18, 2021 · frtg · 2 min read

In recent weeks, new vulnerabilities affecting Microsoft Exchange servers have been identified. The chained exploitation of three distinct vulnerabilities enables an attacker to bypass authentication mechanisms and execute arbitrary code (Remote Code Execution) on the target system with administrative privileges.

Vulnerabilities Involved

The concatenation of three distinct vulnerabilities has enabled an attack chain designated ProxyLogon:

CVE-2021-34473 – Pre-auth Path Confusion for ACL Bypass
CVE-2021-34523 – Privilege Escalation on Backend Servers
CVE-2021-31207 – Arbitrary File Write leading to Code Execution (RCE)

By exploiting the listed vulnerabilities, an attacker can upload any webshell to Microsoft Exchange servers, through which commands can be executed with administrative privileges.

Cyber attacks exploiting this vulnerability chain have already been observed in the wild.

The attack is enabled by the fact that Exchange server components processing HTTP requests do not perform certain validation checks on headers. Specifically, backend server access can be obtained by providing any email address and subsequently bypassing authentication procedures. Once backend access is achieved, abusing the PowerShell command New-MailboxExportRequest allows an attacker to write arbitrary files to the c:\inetpub\wwwroot\aspnet_client\ directory. By uploading a webshell, remote code execution with elevated privileges becomes possible. Organizations operating Exchange infrastructure should implement Managed Detection and Response capabilities to detect anomalous HTTP patterns and unauthorized file writes indicative of exploitation attempts.

Indicators of Compromise

Attacks observed across multiple research groups have demonstrated use of the initial URL https://Exchange-server/autodiscover/autodiscover.json?@foo.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%3F@foo.com. Following webshell upload, two executables have been observed:

C:\Windows\System32\createhidetask.exe
C:\Windows\System32\ApplicationUpdate.exe

In cases where these executables were not deployed, a randomly-named file with .aspx extension has been found in the C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\ directory.

URLs

https://Exchange-server/autodiscover/autodiscover.json?@foo.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%3F@foo.com

Files

C:\Windows\System32\createhidetask.exe
C:\Windows\System32\ApplicationUpdate.exe
Randomly-named file with ASPX extension in C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\

IP Addresses

3.15.221.32
194.147.142.0/24

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Vulnerabilities Involved

Indicators of Compromise

URLs

Files

IP Addresses

Cookie & Privacy