ProxyShell
Description
ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Risk, Web
- Last Updated: 2021-08-24
- Author: Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk
- ID: 413bb68e-04e2-11ec-a835-acde48001122
Narrative
During Pwn2Own April 2021, a security researcher demonstrated an attack chain targeting on-premise Microsoft Exchange Server. August 5th, the same researcher publicly released further details and demonstrated the attack chain. CVE-2021-34473 Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779) CVE-2021-34523 - Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779) . CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435) Upon successful exploitation, the remote attacker will have SYSTEM privileges on the Exchange Server. In addition to remote access/execution, the adversary may be able to run Exchange PowerShell Cmdlets to perform further actions.
Detections
Reference
- https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/
- https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell
- https://www.youtube.com/watch?v=FC6iHw258RI
- https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do
- https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf
- https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html
source | version: 1