HomePentest-Tools.com Logo

Microsoft Exchange - Remote Code Execution (ProxyLogon - CVE-2021-26855, CVE-2021-27065) (CVE-2021-26855, CVE-2021-27065)

Severity
CVSSv3 Score
9.8
Vulnerability description

Microsoft Exchange is vulnerable to a Server Side Request Forgery attack, affecting the Proxylogon endpoint, that can be used by an unauthenticated malicious attacker to bypass the authentication and impersonating as the admin. The root cause of this vulnerability is that the requests made to the Exchange backend are performed on behalf of the Exchange service, thus they are authenticated and contain access tokens. This allows an unauthenticated malicious attacker to perform authenticated crafted requests to the Exchange backend with administrative privileges. Correlated with CVE-2021-27065, which is a post-authentication arbitrary file write vulnerability, the attacker can write a file to any path on the server. Therefore, it can lead to an unauthenticated Remote Code Execution on the Exchange server, an attack chain that was named ProxyLogon.

Risk description

The risk exists that a remote unauthenticated attacker can fully compromise the Exchange server in order to steal confidential information, install ransomware or pivot to the internal network.

Exploit capabilities

Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.

Recommendation

Applying the latest Microsoft patch for the Exchange Server should fix this vulnerability. Furthermore, if the server was exposed to the Internet, there is a high probability that it has alredy been compromised by malicious actors. An analysis by looking for indicators of compromise must be done.

Codename
ProxyLogon
Detectable with
Network Scanner
Exploitable with Sniper
Yes
Vuln date
Mar 2021
Published at
Updated at
Software Type
Email server
Vendor
Microsoft
Product
Exchange Server