On August 5, 2021, in a Black Hat USA talk, DEVCORE researcher Orange Tsai shared information on several exploit chains targeting on-premises installations of Microsoft Exchange Server. Among the exploit chains presented were ProxyLogon, which was exploited en masse in February and March of 2021, and ProxyShell, an attack chain originally demonstrated at the Pwn2Own hacking competition this past April. As of August 12, 2021, multiple researchers have detected widespread opportunistic scanning and exploitation of Exchange servers using the ProxyShell chain.
According to Orange Tsai's demonstration, the ProxyShell exploit chain allows a remote unauthenticated attacker to execute arbitrary commands on a vulnerable on-premises instance of Microsoft Exchange Server via port 443. The exploit is comprised of three discrete CVEs:
CVE-2021-34473, a remote code execution vulnerability patched April 13, 2021
CVE-2021-34523, an elevation of privilege vulnerability patched April 13, 2021
CVE-2021-31207, a security feature bypass patched May 11, 2021
While CVE-2021-34473 and CVE-2021-34523 were patched in April, Microsoft’s advisories note that they were inadvertently omitted from publication until July.
When chained, these vulnerabilities allow the attacker to bypass ACL controls, send a request to a Po ..
Support the originator by clicking the read the rest link below.
