There’s an entirely new attack surface in Exchange, a researcher revealed at Black Hat in Las Vegas, and threat players are now exploiting servers vulnerable to the RCE bugs.
Researchers’ Microsoft Exchange server honeypots are being actively exploited via Proxy Shell: The name of an attack disclosed at Black Hat last week that chains 3 vulnerabilities to enable unauthenticated attackers to perform remote code execution (RCE) & snag plaintext passwords.
400,000 Exchange Servers
In his Black Hat presentation last week, Devcore Principal Security Researcher Orange Tsai said that a survey shows more than 400,000 Exchange servers on the internet that are exposed to the attack via port 443.
On Mon., the SANS Internet Storm Centre’s Jan Kopriva reported that he found more than 30,000 vulnerable Exchange servers via a Shodan scan & that any threat player worthy of that title would find it a snap to pull off, given how much information is available.
Vulnerable to Exploitation
Going on calculations tweeted by security researcher Kevin Beaumont, this means that, between Proxy Logon & Proxy Shell, “just under 50% of internet-facing Exchange servers” are currently vulnerable to exploitation, according to a Shodan search.
On the plus side, Microsoft has already released patches for all of the vulnerabilities in question, & cross your fingers, “chances are that most organisations that take security at least somewhat seriously have already applied the patches,” Kopriva wrote.
The vulnerabilities affect Exchange Server 2013, 2016 & 2019.
Wild Exploit
On Thur., Beaumont & NCC Group’s vulnerability researcher Rich Warren disclosed that threat players have exploited their Microsoft Exchange honeypots using the Proxy Shell vulnerability.
“Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange Proxy Shell vulnerabilities,” Warren tweeted, along with a screen capture of the code for a c# aspx webshell dropped in the /aspnet_client/ directory.
Beaumont tweeted that he was seeing the same & connected it to Tsai’s talk: “Exchange Proxy Shell exploitation wave has started, looks like some degree of spraying. Random shell names for access later. Uses foo name from @orange_8361’s initial talk.”
New Attack Surface
In a post on Sun., Tsai recounted the in-the-wild Proxy Logon proof of concept that Devco reported to MSRC in late Feb., explaining that it made the researchers “as curious as everyone after eliminating the possibility of leakage from our side through a thorough investigation.
“With a clearer timeline appearing & more discussion occurring, it seems like this is not the 1st time that something like this happened to Microsoft,” he continued. Mail server is both a highly valuable asset & a seemingly irresistible target for attackers, given that it holds businesses’ confidential secrets & corporate data.
Severe Vulnerability
“In other words, controlling a mail server means controlling the lifeline of a company,” Tsai explained. “As the most common-use email solution, Exchange Server has been the top target for hackers for a long time.
Based on our research, there are more than 400,000 Exchange Servers exposed on the Internet. Each server represents a company, & you can imagine how horrible it is while a severe vulnerability appeared in Exchange Server.”
During his Black Hat presentation, Tsai explained that the new attack surface his team discovered is based on “a significant change in Exchange Server 2013, where the fundamental protocol handler, Client Access Service (CAS), splits into frontend & backend” – a change that incurred “quite an amount of design” & yielded eight vulnerabilities, consisting of server-side bugs, client-side bugs & crypto bugs.
Proxy Oracle
He grouped the bugs into 3 attack vectors: The now-infamous Proxy Logon that induced patching frenzy a few months ago, the Proxy Shell vector that’s now under active attack, & another vector called Proxy Oracle.
“These attack vectors enable any unauthenticated attacker to uncover plaintext passwords & even execute arbitrary code on Microsoft Exchange Servers through port 443, which is exposed to the Internet by about 400,000 Exchange Servers,” according to the presentation’s introduction.
Patched
The 3 Exchange vulnerabilities, all of which are patched, that Tsai chained for the Proxy Shell attack:
- CVE-2021-34473 – Pre-auth path confusion leads to ACL bypass
- CVE-2021-34523 – Elevation of privilege on Exchange PowerShell backend
- CVE-2021-31207 – Post-auth arbitrary file-write leads to RCE
Proxy Shell earned the Devcore team a $200k bounty after they used the bugs to take over an Exchange server at the Pwn2Own 2021 contest in April.
During his Black Hat talk, Tsai explained that he discovered the Exchange vulnerabilities when targeting the Microsoft Exchange CAS attack surface. As Tsai explained, CAS is “a fundamental component” of Exchange.
Client Access Services
He referred to Microsoft’s documentation, which states:
“Mailbox servers contain the Client Access services that accept client connections for all protocols. These frontend services are responsible for routing or proxying connections to the corresponding backend services on a Mailbox server.”
“From the narrative you could realise the importance of CAS, & you could imagine how critical it is when bugs are found in such infrastructure. CAS was where we focused on, & where the attack surface appeared,” Tsai wrote. “CAS is the fundamental component in charge of accepting all the connections from the client side, no matter if it’s HTTP, POP3, IMAP or SMTP, & proxies the connections to the corresponding backend service.”
Proxy Shell is Just the ‘Tip of the Iceberg’
Out of all the bugs he found in the new attack surface, Tsai dubbed CVE-2020-0688 (an RCE vulnerability that involved a hard-coded cryptographic key in Exchange) the “most surprising.”
“With this hard-coded key, an attacker with low privilege can take over the whole Exchange Server,” he wrote. “And as you can see, even in 2020, a silly, hard-coded cryptographic key could still be found in an essential software like Exchange. This indicated that Exchange is lacking security reviews, which also inspired me to dig more into the Exchange security.”
NTLM Relay
The “most interesting” flaw is CVE-2018-8581, he stated, which was disclosed by someone who cooperated with ZDI. Though it’s a “simple” server-side request forgery (SSRF), it could be combined with NTLM Relay, enabling the attacker to “turn a boring SSRF into something really fancy,” Tsai explained.
For example, it could “directly control the whole Domain Controller through a low-privilege account,” Tsai outlined.
Autodiscover Figures into Proxy Shell
As Bleeping Computer reported, during his presentation, Tsai explained that one of the components of the Proxy Shell attack chain targets the Microsoft Exchange Autodiscover service: a service that eases configuration & deployment by providing clients access to Exchange features with minimal user input.
Tsai’s talk evidently triggered a wave of scanning for the vulnerabilities by attackers.
After watching the presentation, other security researchers replicated the Proxy Shell exploit. The day after Tsai’s presentation, last Fri., Peter Jason & Nguyen Jang published more detailed technical information about their successful reproduction of the exploit.
Minimum File Size
After, Beaumont tweeted about a threat player who was probing his Exchange honeypot using the Autodiscover service. As of yesterday, Aug. 12, those servers were being targeted using autodiscover.json, he tweeted.
As of Thurs., Proxy Shell was dropping a 265K web shell – the minimum file size that can be created via Proxy Shell due to its use of the Mailbox Export function of Exchange Power shell to create PST files – to the ‘c:\inetpub\wwwroot\aspnet_client\’ folder.
Authentication-Protected
Warren shared a sample with Bleeping Computer that showed that the web-shells consist of “a simple authentication-protected script that the threat actors can use to upload files to the compromised Microsoft Exchange server.”
Bad Packets told the outlet that as of Thur., was seeing threat players scanning for vulnerable Proxy Shell devices from IP addresses in the US, Iran & the Netherlands, using the domains @abc.com & @1337.com, from the known addresses 3.15.221.32 and 194.147.142.0/24.
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/