I don’t think the weaknesses are well described with the following quote from the article:
The vulnerabilities allow for bypassing the access control list in firewalls, and then setting up local privilege escalation via PowerShell. The third vulnerability can then be used to execute the code.
The first step is not to bypass the firewall’s ACL, but to use an HTTP proxy bug (“CAS”, an asp.net web application that redirects requests to the Exchange backend). When this proxy receives a request ending in “/autodiscover.json”, it incorrectly rewrites the URL allowing server-side request fraud (SSRF) with proxy credentials (see slide 63 for the URL). It is likely that these are the requests that have been checked and reported.
With this SSRF, “Remote PowerShell Backend” is called via the proxy, which eventually makes it possible to run limited PowerShell (in a runspace where only certain commands are available). Slide 65 shows that this backend accepts an access token from a URL that allows you to run PowerShell as a specific user.
The last step is actually executing the code, but the most accurate is to drop the .aspx file in the webroot which opens a remote shell when you connect to it. In proof of concept, the .aspx page is emailed to a mailbox, via SSRF and a WinRM (SOAP) proxy, the mailbox is exported to webroot as a .pst file with an available PowerShell command. The asp.net code must be encoded to be readable again for asp.net with the .pst export.
To my knowledge, the researcher has not completed the full proof-of-concept (“rce.py” in This ProxyShell exploits demo video), so not every script child will be able to drop remote shells to Exchange servers right away. You have to be a good security researcher to be able to exploit this information.
Edit: In the blog Reproduction of ProxyShell exploit Pwn2Own There is more information and the steps explained in more detail, where hackers should end.
[Reactie gewijzigd door matthijsln op 10 augustus 2021 00:16]
“Lifelong zombie fanatic. Hardcore web practitioner. Thinker. Music expert. Unapologetic pop culture scholar.”