HomePentest-Tools.com Logo

Microsoft Exchange - Remote Code Execution (ProxyShell - CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)

Severity
CVSSv3 Score
9.8
Vulnerability description

Microsoft Exchange is vulnerable to CVE-2021-34473, a Pre-auth Path Confusion Leads to ACL Bypass vulnerability, affecting the Autodisover endpoint, used by the Exchange Client Access Service (CAS). The root cause of this vulnerability is a feature called "Explicit Logon" and due to insufficient checks on the URL, this leads to arbitrary access to the backend services with administrative privileges. Correlated with CVE-2021-34523 (Elevation of Privilege on the Exchange PowerShell Backend) and CVE-2021-31207 (Post-Authentication Arbitrary File Write), the attacker can write a file to any path on the server. Therefore, it can lead to an unauthenticated Remote Code Execution on the Exchange server, an attack chain that was named ProxyShell.

Risk description

The risk exists that a remote unauthenticated attacker can fully compromise the Exchange server in order to steal confidential information, install ransomware or pivot to the internal network.

Exploit capabilities

Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.

Recommendation

Applying the latest Microsoft patch for the Exchange Server should fix this vulnerability. Furthermore, if the server was exposed to the Internet, there is a high probability that it has alredy been compromised by malicious actors. An analysis by looking for indicators of compromise must be done.

Codename
ProxyShell
Detectable with
Network Scanner
Exploitable with Sniper
Yes
Vuln date
Aug 2021
Published at
Updated at
Software Type
Email server
Vendor
Microsoft
Product
Exchange Server