1, 2, 3 Owned: New Microsoft Exchange Vulnerabilities

Chained vulnerabilities lead to remote command execution

Authors: Mark Ellzey, Greg Gaylor 

What is the Issue?

The ProxyLogon vulnerabilities, publicly disclosed in March and discussed in our blog post Microsoft Exchange 0-day Vulnerabilities, have since been patched, but a similar Microsoft Exchange attack has been discovered. DEVCORE Researcher “Orange Tsai” published their findings of a new vulnerability that combines multiple exploits; it’s code-named “ProxyShell.”

At the time of writing (August, 2021), Censys identified over 175,300 hosts which ran the Exchange SMTP service. Of those hosts, approximately 135,000 hosts ran some form of Microsoft Internet Information Server alongside SMTPD. We differentiate these two since the full attack requires both services for successful exploitation, but it should be noted that these services can live on separate hosts.

The ProxyShell attack consists of three separate vulnerabilities chained together to achieve remote code execution, giving attackers the ability to establish a persistent foothold into your Exchange environment. Below is a basic analysis of the attack-chain itself:

Phase One: CVE-2021-34473

Similar to the SSRF found in March, the first vulnerability, CVE-2021-34473, exploits a feature in Exchange that generates a clean and normalized URL for a user’s mailbox to render as a single link for use in backend calls. By targeting specific handlers, a user can trick the server into removing specific URL sections to connect to arbitrary backend services.

Phase Two: CVE-2021-34523

The next phase of the attack chain is CVE-2021-34523, which exploits logic in a subsystem of Exchange called “Exchange PowerShell Service.” This feature enables users to send and receive emails on the command line but does not properly validate that the user has authenticated on the frontend. By setting a particular request parameter (“X-Rps-CAT”), an attacker can trick the server into running an arbitrary command as another user.

Phase Three: CVE-2021-31207

The third and final vulnerability discussed in CVE-2021-31207 uses the access from the previous attacks to run the command “New-MailboxExportRequest” to export a user’s mailbox to a specified path. By encoding an email attachment,like a remote-shell, in “Outlook Personal Folder” format, the MailboxExportRequest command will deserialize the data and write the actual contents to disk in its original form. Once decoded and written, an attacker can use the same vulnerability to execute the exported code.

Why does it matter?

Researchers at Duo have confirmed that attackers are actively scanning for and using the attack to install ransomware like “LemonDuck” and other malicious software. Duo also discovered that attackers modified Exchange server configuration files to hide web-based shells in hidden locations.

On August 20, Symantec reported a new ransomware family in their article on “LockFile“; At the time of writing, the exploitation vector was unknown, and as of August 23, the attacks have been linked to the ProxyShell exploit chain described here.

A few days later, on August 23, Duo Security stated the following in their post titled “ProxyShell Attacks Escalate,”Huntress Labs, which works with managed service providers, said it has visibility into more than 1,700 vulnerable servers and has seen about 300 of them compromised in the last few days.”

As time goes on, this number is almost guaranteed to go up.

What do I do about it?

While the CVE was not made public until July, Microsoft silently addressed the vulnerability in the April 2021 update. If you have not applied any patches since the March update, you are most likely vulnerable to this exploit.

• Upgrade Services Immediately by following the instructions here.
• For Censys ASM customers, use the Host Inventory page to quickly identify any running Microsoft Exchange servers running in your environment.
• Use Kevin Beaumont’s NMAP script which can augment a port-scan with information on whether a host is vulnerable to the first pre-auth attack.
  • Navigate to the NMAP directory containing user-defined scripts.
    • Mac: /usr/local/Cellar/nmap/<version>/share/nmap/scripts
    • Linux: /usr/share/nmap/scripts
  • Download the NMAP script to the directory.
  • Run “nmap -p [PORTS]–script http-vuln-exchange-proxyshell [IP/host]”
  • Vulnerable hosts will have a message like the following: ** Vulnerable to ProxyShell SSRF **

Additional information for Hunters, Defenders, and Intelligence Teams

With Censys Search 2.0 we scan the entire IPV4 address range for over 3,500 ports and services. What makes Censys Search 2.0 data special is we have the freshest data available of services running on various non-standard ports. This helps us find non-standard port/service configurations at scale. Microsoft Exchange Server set up on a non-standard HTTP port? No problem, we have you covered.

Example Censys Search Pivots:

Search String	Description
Exchange SMTP Servers	same_service(services.software.uniform_resource_identifier=`cpe:2.3:a:microsoft:exchange_server:*:*:*:*:*:*:*:*` AND service.service_name=`SMTP`)
Exchange Servers with SMTP and IIS	same_service(services.software.uniform_resource_identifier=`cpe:2.3:a:microsoft:exchange_server:*:*:*:*:*:*:*:*` AND service.service_name=`SMTP`) AND services.software.uniform_resource_identifier: `cpe:2.3:a:microsoft:internet_information_services:*:*:*:*:*:*:*:*`
Exchange Servers for only domains matching “example.com”	services.software.uniform_resource_identifier: `cpe:2.3:a:microsoft:exchange_server:*:*:*:*:*:*:*:*` AND “example.com”
HTTP Servers with Outlook-like Responses	services.http.response.html_tags: “<title>Outlook</title>”

Where to find server version info in Censys data response body:

References:

• CVE-2021-34473: “Pre-auth Path Confusion leads to ACL Bypass”
• CVE-2021-34523: “Elevation of Privilege on Exchange PowerShell Backend”

• CVE-2021-31207: “Post-auth Arbitrary-File leads to RCE”
• A New Attack Surface on Microsoft Exchange
• ProxyShell Attacks