Microsoft Exchange - Remote Code Execution (ProxyShell - CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)

Microsoft Exchange is vulnerable to CVE-2021-34473, a Pre-auth Path Confusion Leads to ACL Bypass vulnerability, affecting the Autodisover endpoint, used by the Exchange Client Access Service (CAS). The root cause of this vulnerability is a feature called "Explicit Logon" and due to insufficient checks on the URL, this leads to arbitrary access to the backend services with administrative privileges. Correlated with CVE-2021-34523 (Elevation of Privilege on the Exchange PowerShell Backend) and CVE-2021-31207 (Post-Authentication Arbitrary File Write), the attacker can write a file to any path on the server. Therefore, it can lead to an unauthenticated Remote Code Execution on the Exchange server, an attack chain that was named ProxyShell.

The risk exists that a remote unauthenticated attacker can fully compromise the Exchange server in order to steal confidential information, install ransomware or pivot to the internal network.

Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.

Applying the latest Microsoft patch for the Exchange Server should fix this vulnerability. Furthermore, if the server was exposed to the Internet, there is a high probability that it has alredy been compromised by malicious actors. An analysis by looking for indicators of compromise must be done.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207/