ProxyShell Exploit Chain: Vulnerabilities targeting the Microsoft Exchange Server

Dawn Treader
December 1, 2022

Windows ProxyShell – Executive Summary

ProxyShell refers to the name assigned to an exploit chain that triggers three vulnerabilities in Microsoft Exchange Server in order to gain complete remote control of the affected Exchange Server. Though these vulnerabilities were reported in 2021, they were actively exploited in 2022 affecting large organizations. While some threat actors leveraged ProxyShell to install WebShells on the affected server, other threat actors leveraged ProxyShell to install malware.

Windows ProxyShell Vulnerability 

The CVE’s identified as CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 when combined together, as done in the ProxyShell exploit, can be chained to gain remote code execution on affected Microsoft Exchange Servers.  

CVE-2021-34473 identifies a path confusion vulnerability in Exchange Server that affects the “Explicit Logon” feature. This feature enables a user access to another users’ mailbox, when such access has been explicitly granted. The vulnerability lies in how Exchange Server parses a URL containing a request to access users’ mailbox. This URL contains the target email account, which Exchange Server validates. If this URL contains the string “/autodiscover/autodiscover.json”, the parsing logic fails to properly validate the email account and also leads to arbitrary URL access with SYSTEM privilege.  

CVE-2021-34523 identifies a privilege modification vulnerability in the PowerShell component embedded in Exchange Server. An error in the parsing logic to verify a user email account coupled with the previous CVE will allow an attacker to access the PowerShell URL. The previous vulnerability granted access as the user NT AUTHORITY/SYSTEM which does not have an email account. By using a previously harvested email or any of the built-in email addresses, which have administrative privileges, an attacker can combine these two vulnerabilities to access the PowerShell URL. 

CVE-2021-31207 is a vulnerability in the way a user’s mailbox can be exported. An attacker would send a webshell as an encoded attachment to a victim. Next, the attacker can chain the previous two vulnerabilities to gain access to PowerShell on the Exchange Server. Finally, the attacker will use the PowerShell cmdlet New-MailboxExportRequest to export the victims’ mailbox, which contains the webshell attachment, to an arbitrary location as an ASPX file. When exported, the embedded webshell is decoded and will be accessible to the attacker. 

Microsoft has issued the following advisory which customers are advised to follow.

Vehere Network Detection and Response: Protection Against Threat’s Past and Present

Vehere’s research wing, Dawn Treader, actively researches new vulnerabilities and malware outbreaks in order to improve the detection efficacy of its NDR solution. Vehere NDR’s Rule Engine is constantly updated to detect threats like the one discussed in this blog. 

In addition to a comprehensive Rule Set that guides the Rule Engine in detecting attacks and behavior anomalies, the NDR’s ML engines are trained to detect behavioral anomalies in customer networks. This, combined with a comprehensive set of NDR enhancements to detect lateral movement activity in a network, enables customers to get a holistic view of any violation of their computing assets and deter the progress of the attack. 

Share post: