Microsoft Exchange - Remote Code Execution (ProxyLogon - CVE-2021-26855, CVE-2021-27065) (CVE-2021-26855, CVE-2021-27065)

Microsoft Exchange is vulnerable to a Server Side Request Forgery attack, affecting the Proxylogon endpoint, that can be used by an unauthenticated malicious attacker to bypass the authentication and impersonating as the admin. The root cause of this vulnerability is that the requests made to the Exchange backend are performed on behalf of the Exchange service, thus they are authenticated and contain access tokens. This allows an unauthenticated malicious attacker to perform authenticated crafted requests to the Exchange backend with administrative privileges. Correlated with CVE-2021-27065, which is a post-authentication arbitrary file write vulnerability, the attacker can write a file to any path on the server. Therefore, it can lead to an unauthenticated Remote Code Execution on the Exchange server, an attack chain that was named ProxyLogon.

The risk exists that a remote unauthenticated attacker can fully compromise the Exchange server in order to steal confidential information, install ransomware or pivot to the internal network.

Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.

Applying the latest Microsoft patch for the Exchange Server should fix this vulnerability. Furthermore, if the server was exposed to the Internet, there is a high probability that it has alredy been compromised by malicious actors. An analysis by looking for indicators of compromise must be done.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/