A pair of zero-day vulnerabilities caused some major concerns in the Microsoft Exchange community just two months ago.
The following two vulnerabilities, which are known as CVE-2022-41040 and CVE-2022-41082:
Two zero-days emerged in a single day, with the first being used remotely to open up enough of a hole on an Exchange server to also trigger RCE.
The first vulnerability was reminiscent of the troublesome and widely-abused ProxyShell security hole from back in August 2021, because it relied on dangerous behavior in Exchange’s Autodiscover feature, described by Microsoft as a protocol that is “used by Outlook and EAS [Exchange ActiveSync] clients to find and connect to mailboxes in Exchange.”
The exploit that could be used by remote users, whether logged-in or not, got fixed more than a year ago.
ProxyShell patch upstart ProxySoftware seems to have been a failure, as the mere patches didn’t do enough to close off the exploit to users they claimed it protected. This led to the new CVE-2022-40140 zero day, which was misspelled in its patch title, but soon recaptured as “ProxyNotShell” after some members of the security community discovered the misnaming.
24/7 threat hunting, detection, and response delivered by a team of experts as a managed service.
Do More
Although it may not be as dangerous, it is still a danger that deserves attention.
ProxyNotShell was far more secure than ProxyShell in that it required a user to perform an automated handshake with the ProxyNotShell server. Whoever used the system, no matter their location, had to go through this process first. This ensured a higher level of security and prevented abuse by any unauthorized user.
A team of researchers found that when an Exchange server is attacked, it seemed to matter little if the user was authenticated or not. In this case, having access to email credentials would be enough to go on a malicious attack but with 2FA in place, those same credentials were meaningless.
Sophos believes in end-to-end security, and their CEO Chester Wisniewski put it simply in 2010:
Exchanges are vulnerable to “mid-authentication” vulnerabilities by design, but that makes them more targeted. An automated Python script can’t just scan the whole Internet and exploit every Exchange server in the world within minutes or hours.
Gmail is one of the most popular and widely used webmail services out there, but it’s also one of the most hackable. Finding and cracking their passwords can be pretty easy if you know what you’re doing. Fortunately, there are some steps that can help you prevent this from happening. We won’t list them all here, because the full extent of OWA security is subject to change.
The process of doing this attack doesn’t require a second factor. […] This does not seem like much of a challenge to do.
Many of us assumed that Microsoft would get out a fix before October’s Patch Tuesday. The company is usually quick to address security holes, and we’d be happy if it did the same this time.
The year came and went without updates to the ProxyNotShell software, disappointing many people in the industry. However, they were able to continue working around that software with workarounds until October came and went.
Despite work to provide fixes for Spectre and Meltdown, Black Tuesday came and went with the new patches not yet in place. However, Exchange-specific security updates that included it came out on the same day.
With the help of a proof-of-concept and partnership, a significant development could be on the horizon.
The day has finally come, and Microsoft released a patch for the Exchange vulnerabilities that were previously disclosed by ZDI. Along with these new fixes, ZDI explained how those vulnerabilities can be exploited.
There’s bad news for Exchange admins: the ZDI team has now provided a proof-of-concept where an attack can be carried out against Exchange servers.
The good news, of course, is that:
We’re thrilled to have been able to conduct these tests. This not only helps us maintain and protect the world’s most popular open-source web server software, but it also provides us with insight into what caused the bugs we were addressing and how to avoid similar problems in our own servers going forward.
We now have no excuse left for not applying the patches. If we’ve dragged our feet on patching, ZDI’s explanation of why the exploit works makes it clear that the cure is definitely preferable to the disease.
Our article scoring is based on the quality, depth and usefulness of content found in articles.
ZDI developed a detailed and fascinating explanation about how complex it can be to chain together all the many parts you need to exploit dangerous vulnerabilities.
There have been many well-documented vulnerabilities that have made the news recently, such as Heartbleed. And while these may be well-known holes, they often take time to fix because they are so deeply ingrained in how software and systems work. A good way to understand them is to perform your own work by digging into the existing exploit to help reveal other insights that can cause additional patches and potential exploit mitigation strategies.
RCE is the process of taking control of a system without triggering the user interface. This can be accomplished through a variety of methods, but one way that has been proven effective is through exploiting buffer overflows. At the end of this mishmash, you’ll learn more about how to create your own RCE exploit.
With the ZDI report becoming more popular, it’s important to understand its details. While digesting such an involved document might be overwhelming on its own, we hope this makes learning about that report a little bit easier for you. Here’s a summary of the steps listed in reverse.
If you want to know why the story takes the direction that it does, you should consider reading the novel.
STEP 4 – Remotely trick Exchange into instantiating your chosen object. Simply put, remotely trick Exchange into instantiating a .NET object of your choice.
In modern coding, an instantiated object is the jargon word for an allocated chunk of memory automatically initialized with the data and resources it needs while it’s in use, and tied to a specific set of functions that can operate on it. (Instantiate just means create.)
Managing memory responsibly is a core feature of modern operating systems. They help avoid the sort of memory mismanagement errors that can happen in small embedded languages like C, where you typically need to allocate memory by hand and remember to release it when you’re done.
Objects generally have a programmatic function associated with them called the constructor. Objects are automatically created in order to allocate the right amount of memory and the correct set of system resources.
Usually, you need to pass one or more parameters as arguments to the constructor, in order to indicate how the object should be configured when it starts out.
As an example, when you instantiate a TextString object using a text string as the parameter. Using our example, if we were to instantiate a TextString object with example.com:8888, this would create the following literal text string.
“”shorthand for property value”:”This is shorthand for “”
“value”:”property name”,””
“name”:”property name”,”https://www.example.com/”:888
END “”
…you will probably end up with a buffer allocated to hold your text, set to be initialized to the raw text example.com:8888.
There isn’t any inherent security risk in passing strings to objects that have been initialized remotely, other than the possibility of denial of service (DoS).
But if you pass in the exact same text string parameter of example.com:8888, you might end up with a temporary buffer ready to hold data, as well as a socket that’s already allocated by the operating system and waiting for connections on port 888.
One of the risks that comes with remote code execution is connection leakage. You could exploit this vulnerability without ever sending any data to the server, thanks to your ability to fool it into calling home to a location you control.
One common way to accomplish a goal is with an object called, say, RunCmdAndReadOutput. This object receives input that’s similar to a command you want run automatically once the object is created. This allows you to collect its output later on and save yourself some time.
Even if you never get to recover the output of the command, instantiating such an object would remain a risk as long as you have access to a server through any other process.
As with most things in life, it only gets easier once you’ve achieved something that means everything to you. Once you’re able to get past this last defense, defeating Exchange becomes much easier.
In theory, only safe or low-risk objects can be created remotely via PowerShell, so that instantiating our imaginary TextString above might be considered acceptable, but a ConnectedTCPClient would definitely not be.
But the ZDI researchers noticed that before triggering the final step, they could do this:
STEP 2. Find a list of objects that have passed the safety test and that also meet your needs. STEP 3. Use our remote object trick to cheat Exchange into thinking that the low-risk object you chose is, in fact, something else on this list.
Despite this, you might expect Exchange to resist the remote creation of low-risk objects. This way, even if malware does slip through, it’s less likely to be damaging.
Researchers found that they could:
STEP 2. Get remote access to Exchange from PowerShell through Remoting, and then use that access to create a new object based on your decision on the initialisation parameters you’ve been given
Due to the proxyShell-like hole that was only semi-patched, a lot of bad actors were able to exploit big name domains for malicious purposes.
This step will trick Exchange into accepting and processing web requests with valid user:password fields, as long as the request is properly formatted.
Imagine trying to hack an organisation by contantly sending a number of emails of the same type. An attacker would keep receiving an error because the username and password combination has expired, but they know that account name and username.
While the HTTP authentication was simply accepted to prevent Exchange from rejecting the request up front, any valid username:password combination would do, loosely speaking.
If you’re using on-site Exchange servers, Microsoft claims to have locked down the service quickly. Even if you’ve moved your email service to Exchange Online, make sure you know where your on-premises servers are.
If your servers are not patched and vulnerabilities have been identified, make sure to apply the Exchange Software Update of 2022-11-08 in order to close those vulnerabilities.
No matter what version of Autodiscover the server is running, it needs to be configured to never request Basic Authentication, which includes blocking all aspects of it. By doing this and only requesting relevant headers by using standard A/V headers that are still supported, attackers won’t be able save servers from receiving dangerous requests because they’ll know the server isn’t patched.
