Two exploits were recently used to compromise Microsoft Exchange Servers, ProxyNotShell is the name for the combination. The first vulnerability is a Server-Side Request Forgery (SSRF) known as CVE 2022-41040. The SSRF Attack occurs when an attacker can control or modify a query to request another resource. This can occur in the form of requesting another data set or causing a user to request an external resource. The versions affected are 2013,2016 and 2019. The next attack was Remote Code Execution, meaning direct interaction with the shell of the server. A common language used when working with the shell is PowerShell (the name is great I know). PowerShell is the medium for a number of malicious acts once a machine is compromised since most Windows machines come with it installed. The SSRF vulnerability (41040) is only exploitable with authenticated access, which will also allow remote commands to be executed, more formally RCE (41082). Teams have been following this developing attack.
The Overview
Around August of 2022. GTSC team noticed a Zero Day being exploited against Exchange Servers. The attack #41040 from above was being used to compromise environments. Teams responded by sending out a mitigation and doing deep code analysis to understand the exploit. The Blue Team (defenders), as a part of their Incident Response, add regex detecting the presence of the known malicious request. With short success for the Blue Team, the Red Team began to work at understanding the exploit. It was discovered that 41040 allowed PowerShell scripts to be executed and the specific code used was given #41082. The interesting event here is that just as the mitigation was posted, it was said that it could be bypassed, making the Zero Day still somewhat in the category of unresolved. What we do know is this is an SSRF, telling us that a link, or query, can be changed to gain access to internal resources. They are able to track these requests in logs to understand the patterns being used and hopefully come up with another mitigation while patching occurs. The current recommendation is to disable remote PowerShell scripts since the malicious code can be ran without Privilege Escalation. This poses a risk to Admins of locking themselves out, so teams are working.
The Exploits
The SSRF vulnerability was patched fairly quickly, and a security researcher assisted with a needed tune up. The first patch was the addition of pattern matching to prevent the requests from reaching the server. Researcher determined this could be bypassed with slighly fancier attack. The Remote Code Execution (RCE) was accessed via web shell, which opens the door to malware being installed. Exploitation usually has a few moving parts. To summarize, the malware used creates a listener and initiates a request, upon satisfying some conditions the code continues to gather information before executing shellcode. Some of the commands can be seen because they are executed in the shell, the shellcode itself is usually ran in memory where systems logs do not exist. A little background on shellcode can be found in one of my Medium.com articles on Eternal Blue, an exploit taking advantage of shellcode execution. The malware analysis report names a few suspicious filenames to look for as well as provides some additional signatures being added in updates to Antivirus tools. This sample does not currently an entry in VirusTotal.
New Mitigation!
Microsoft released a new pattern matching for the URL rewrite engine. The scenario to consider URL encoding was added. URL encoding would be substituting “hello%27%20or%201%3D1” into the input field to pass in “hello’ or 1=1”.
I will be updating this as the security teams make progress.
The SSRF vulnerability was patched fairly quickly, and a security researcher assisted with a needed tune up. The first patch was the addition of pattern matching to prevent the requests from reaching the server. Researcher determined this could be bypassed with slighly fancier attack. The Remote Code Execution (RCE) was accessed via web shell, which opens the door to malware being installed. Exploitation usually has a few moving parts. To summarize, the malware used creates a listener and initiates a request, upon satisfying some conditions the code continues to gather information before executing shellcode. Some of the commands can be seen because they are executed in the shell, the shellcode itself is usually ran in memory where systems logs do not exist. A little background on shellcode can be found in one of my Medium.com articles on Eternal Blue, an exploit taking advantage of shellcode execution. The malware analysis report names a few suspicious filenames to look for as well as provides some additional signatures being added in updates to Antivirus tools. This sample does not currently an entry in VirusTotal.
New Mitigation!
Microsoft released a new pattern matching for the URL rewrite engine. The scenario to consider URL encoding was added. URL encoding would be substituting “hello%27%20or%201%3D1” into the input field to pass in “hello’ or 1=1”.
I will be updating this as the security teams make progress.
