Trending Now

Headline
What we learned from the 76ers’ comeback win over the Heat
What we learned from the 76ers’ comeback win over the Heat
Huawei unveils the new Pura 70 series for the Chinese market – tablets and phones – News
In return, Queen Mathilde wears a new dress
In return, Queen Mathilde wears a new dress
America with basketball stars like James and Curry
America with basketball stars like James and Curry
The Chamber wants Van Rij to continue to tax savings, and the current target is 2027
The Chamber wants Van Rij to continue to tax savings, and the current target is 2027
Spain’s state visit to the Netherlands, day two: daily report
Spain’s state visit to the Netherlands, day two: daily report
Nothing Offers Earbuds & Earbuds (A) With ChatGPT Integration – Image & Audio – News
Crosby gets his 1,000th assist, leading the Penguins to a playoff berth
Crosby gets his 1,000th assist, leading the Penguins to a playoff berth
The first beta of Android 15 has been released, and that’s new
The first beta of Android 15 has been released, and that’s new
What we learned from the 76ers’ comeback win over the Heat
What we learned from the 76ers’ comeback win over the Heat
Huawei unveils the new Pura 70 series for the Chinese market – tablets and phones – News
In return, Queen Mathilde wears a new dress
In return, Queen Mathilde wears a new dress
America with basketball stars like James and Curry
America with basketball stars like James and Curry
The Chamber wants Van Rij to continue to tax savings, and the current target is 2027
The Chamber wants Van Rij to continue to tax savings, and the current target is 2027
Spain’s state visit to the Netherlands, day two: daily report
Spain’s state visit to the Netherlands, day two: daily report
Nothing Offers Earbuds & Earbuds (A) With ChatGPT Integration – Image & Audio – News
Crosby gets his 1,000th assist, leading the Penguins to a playoff berth
Crosby gets his 1,000th assist, leading the Penguins to a playoff berth
The first beta of Android 15 has been released, and that’s new
The first beta of Android 15 has been released, and that’s new

Exchange ProxyShell Vulnerability Under Active Attack After Disclosure – Computer – News

science
Courtney Horton

Exchange ProxyShell Vulnerability Under Active Attack After Disclosure – Computer – News

I don’t think the weaknesses are well described with the following quote from the article:

The vulnerabilities allow for bypassing the access control list in firewalls, and then setting up local privilege escalation via PowerShell. The third vulnerability can then be used to execute the code.

if I were slides (from slide 55) and Show on timestamp 34:30 It starts around the ProxyShell view it looks a lot like the following:

The first step is not to bypass the firewall’s ACL, but to use an HTTP proxy bug (“CAS”, an asp.net web application that redirects requests to the Exchange backend). When this proxy receives a request ending in “/autodiscover.json”, it incorrectly rewrites the URL allowing server-side request fraud (SSRF) with proxy credentials (see slide 63 for the URL). It is likely that these are the requests that have been checked and reported.

With this SSRF, “Remote PowerShell Backend” is called via the proxy, which eventually makes it possible to run limited PowerShell (in a runspace where only certain commands are available). Slide 65 shows that this backend accepts an access token from a URL that allows you to run PowerShell as a specific user.

The last step is actually executing the code, but the most accurate is to drop the .aspx file in the webroot which opens a remote shell when you connect to it. In proof of concept, the .aspx page is emailed to a mailbox, via SSRF and a WinRM (SOAP) proxy, the mailbox is exported to webroot as a .pst file with an available PowerShell command. The asp.net code must be encoded to be readable again for asp.net with the .pst export.

See also  At midday on Wednesday, September 6, 2023 - Puzzles

To my knowledge, the researcher has not completed the full proof-of-concept (“rce.py” in This ProxyShell exploits demo video), so not every script child will be able to drop remote shells to Exchange servers right away. You have to be a good security researcher to be able to exploit this information.

Edit: In the blog Reproduction of ProxyShell exploit Pwn2Own There is more information and the steps explained in more detail, where hackers should end.

[Reactie gewijzigd door matthijsln op 10 augustus 2021 00:16]

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top