ProxyNotShell: Zero-Day Vulnerabilities in Microsoft Exchange Server

Summary:

Back at the start of August 2022, members of GTSC came across an attack where Microsoft Exchange was actively being targeted. They were able to verify that the attack was leveraging a 0-day vulnerability in Exchange which ultimately led to a RCE attack.

Their initial analysis and work with ZDI (Zero Day Initiative) proved that this attack was leveraging two vulnerabilities, a SSRF vulnerability in Exchange (CVE-2022-41040) and a RCE vulnerability in PowerShell (CVE-2022-41082).

Affected Versions:

• Microsoft Exchange Server 2013
• Microsoft Exchange Server 2016
• Microsoft Exchange Server 2019

Vulnerability Details:

The SSRF exploit request string is seemingly identical or very near identical to the request string observed previously back in early 2021 with exploitation of the ProxyShell vulnerability.

“autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com”

In fact, the pairing of this SSRF and RCE vulnerability is just like the original ProxyShell, which is why this vulnerability has been dubbed “ProxyNotShell”. However, unlike ProxyShell, both vulnerabilities require an attacker to be authenticated to the Exchange server in order to be successfully exploited.

Mitigation:

While Microsoft has not yet released a patch for these vulnerabilities, they have confirmed that they are actively working on one and have released mitigation instructions in the meantime. The mitigation involves using IIS URL Rewrite rules as well as blocking access to ports TCP/5985 and TCP/5986.

Follow the following instructions to implement the URL Rewrite rules:

1. Open the IIS Manager.
2. Select and expand the Default Web Site.
3. Click on “URL Rewrite” in the feature view.
4. In the action pane, click on Add Rules.
5. Choose Request Blocking.
6. Add the following string without the quotes and click OK:
   • “.*autodiscover\.json.*\@.*Powershell.*”
   • Alternatively, this is a URL block that covers a wider set of attacks as published by Bleeping Computer: .*autodiscover\.json.*Powershell.*
7. Expand the newly created rule and click Edit under the Conditions section.
8. Change the condition input from {URL} to {REQUEST_URI} and click OK.For anyone missing the URL Rewrite Module it is available here: URL Rewrite : The Official Microsoft IIS Site

Note: You’ll need to scroll down and get the 2.1 x64 installer as the link at the top of the page downloads the 32 bit version.

Microsoft has confirmed there is no known impact to Exchange functionality when implementing this URL Rewrite rule.

Vertek’s Response:

Due to the potential impact of successful exploitation being complete system compromise, Vertek highly recommends applying the above mitigations and patching once one becomes available.

Vertek is also currently tracking known IOCs in OTX here. As more IOCs become known we will be updating the pulse accordingly.

References:

https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html

https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9

https://www.bleepingcomputer.com/news/security/microsoft-exchange-server-zero-day-mitigation-can-be-bypassed/