Threat actors are now actively seeking out the vulnerabilities of the Microsoft Exchange ProxyShell External Code Execution after technical details were revealed during the Black Hat conference.

ProxyShell is the name given to three vulnerabilities that execute unauthorized, remote code execution on Microsoft Exchange servers when linked together.These pinned vulnerabilities are remotely exploited by Microsoft Exchange CAS operating on port 443 in IIS.

The three pinned vulnerabilities used in ProxyShell attacks are:

  • CVE-2021-34473 Pre-Authorized Road Confusion Leads to ACL Bypass (April)
  • CVE-2021-34523-Increasing the Privilege on Exchange PowerShell Backend (April)
  • CVE-2021-31207-Post-Authoritarian Arbitrary File Writing Leads to RCE (May)

Both CVE-2021-34473 and CVE-2021-34523 were first announced in July, they were actually quietly uploaded in the cumulative update of Microsoft Exchange KB5001779 in April.

These vulnerabilities were discovered by Security Researcher Orange Tsai,his team received a $ 200,000 prize for their use in April’s Pwn2Own 2021 burglary contest.

Tsai explained that one of the components of the ProxyShell attack chain is targeted at the Microsoft Exchange Autodiscover service introduced to provide an easy way for email client software to set itself up automatically with minimal user input.

Glide from the Orange Tsai talk showing the autodiscover URL

Threat actors started investigating about this vulnerability and tried exploiting. Though initial attempts were unsuccessful, attackers succeeded last night, after more details about the vulnerability were revealed.

https://Exchange-serve/autodiscover/autodiscover.json?@foo.com/mapi/nspi/?&Email=autodiscover/autodiscover.json%3F@foo.com

Using the new URL, it appears that the threat actors were able to successfully detect a vulnerable system because it caused the compilation of the ASP.NET Web application. Accessing the URL would result in the ASP.NET worker process (w3wp.exe exe) compiling a web application, as seen in the image of Beaumont’s dog pot below.

Files created by scanning the Microsoft Exchange dog pot
Files created by scanning the Microsoft Exchange dog pot

Threat actors are actively searching for vulnerable Microsoft Exchange servers, Azure Sentinel can be used to view IIS logs on the “/autodiscover/autodiscover.json” or “/ mapi / nspi /” strings.

W3CIISLog | where csUriStem == "/autodiscover/autodiscover.json" | where csUriQuery has "/mapi/nspi/"

If the results contain the targeted Autodiscover URL, threat actors have searched your server for the vulnerability. Its only a matter of time until successful exploitation in nature is achieved.Microsoft Exchange administrators install the latest cumulative updates to protect against these vulnerabilities