Exchange ProxyShell exploit chain
Vulnerability background
In April 2021, at the Pwn2Oun Hacking Contest, Orange Tsai, a security researcher from Taiwan, China, used the latest Exchange vulnerability ProxyShell attack chain to successfully break into Microsoft's Exchange mailbox server and won a $200,000 grand prize. But at that time, Orange Tsai did not disclose the details of the exploit of the ProxyShell attack chain. At the same time, Microsoft released a security patch update for the ProxyShell attack exploit chain. At the 2021 BlackHat conference held in August, Orange Tsai gave a detailed analysis and explanation of the ProxyShell attack chain.
Unauthenticated attackers can use the ProxyShell attack chain to attack the target Exchange server, thereby gaining the highest privileges of the Exchange mailbox server. ProxyShell contains the following 3 vulnerabilities.
- CVE-2021-34473: SSRF vulnerability caused by ACL bypass caused by pre-authentication path confusion, Microsoft has released a security patch update in April 2021.
- CVE-2021-34523: A privilege escalation vulnerability in the Exchange PowerShell backend. In April 2021, Microsoft has released a security patch update.
- CVE-2021-31027: Using arbitrary file writing vulnerabilities to cause remote code execution vulnerabilities, Microsoft has released security patch updates in May 2021.
Vulnerability principle
The process of the entire ProxyShell attack chain is as follows: use the SSRF vulnerability to authenticate the PowerShell interface as an administrator, and then use the Exchange PowerShell interface to add the specified user to the Mailbox Import Export role group. At this time, the attacker constructs a malicious email and sends it to the specified user, and then uses the New-M in Mailbox Import Export