![]() However, the authentication and authorization parts are still based on the original CAS architecture. ![]() Exchange PowerShell Remoting is built upon WS-Management and implements numerous Cmdlets for automation. ![]() Here we focus on the feature called Exchange PowerShell Remoting!Įxchange PowerShell Remoting is a feature that lets users send mail, read mail, and even update the configuration from the command line. So, we have to discover a new approach to exploit it. ![]() Due to the in-depth RBAC defense of Exchange (the ProtocolType in /Autodiscover is different from /Ecp), the unprivileged operation used in ProxyLogon which generates an ECP session is forbidden. So far, we can access arbitrary backend URLs. For example:ĬVE-2021-34523 - Exchange PowerShell Backend Elevation-of-Privilege To accomplish this feature, this URL must be simple and include the mailbox address to be displayed. When a client HTTP request is categorized as an Explicit Logon Request, Exchange will normalize the request URL and remove the mailbox address part before routing the request to the backend.Įxplicit Login is a special feature in Exchange to make a browser embed or display a specific user’s mailbox or calendar with a single URL. It too appears when the frontend (known as Client Access Services, or CAS) is calculating the backend URL. The first vulnerability of ProxyShell is similar to the SSRF in ProxyLogon. With ProxyShell, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an exposed 443 port! CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE CVE-2021-34523 - Elevation of Privilege on Exchange PowerShell Backend ![]() CVE-2021-34473 - Pre-auth Path Confusion leads to ACL Bypass ProxyShell consists of 3 vulnerabilities: Regarding the architecture, and the new attack surface we uncovered, you can follow my talk on Black Hat USA and DEFCON or read the technical analysis in our blog. It’s a pre-auth RCE on Microsoft Exchange Server and we named it ProxyShell! This article will provide additional details of the vulnerabilities. In this article, I will introduce the exploit chain we demonstrated at the Pwn2Own 2021. Hi, I am Orange Tsai from DEVCORE Research Team. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |