Security researchers have found a new exploit that allows attackers to remotely execute code through Outlook Web Access (OWA) on Microsoft Exchange Server.
According to Crowdstrike, the new exploit method takes advantage of two vulnerabilities and bypasses the URL or link rewrite mitigations for the ProxyNotShell bug that Microsoft deployed affecting the on-premises Exchange server.
The security vendor called the exploit method OWASSRF, or Outlook Web Access Server-Side Request Forgery.
First, the autodiscover endpoint, which is used to notify clients about services offered by the remote Microsoft Exchange server, is accessed via an authenticated request to the frontend, Crowdstrike researchers said.
It is accessed via a path confusion exploit, CVE-2022-41040, which allows the attacker to reach the backend for arbitrary URLs.
This type of vulnerability is known as server-side request forgery (SSRF).
In the case of ProxyNotShell, the target backend service is the remote PowerShell service.
A proof-of-concept link leading to leaked code for the new exploit was sent on Twitter by Huntresslab security researcher Dray Agha.
Agha found the attackers’ toolkit in an open repository and downloaded them all.
By using a Python script posted by Agha, Crowdstrike was able to replicate the log file entries from recent attacks.
mass strike discovered the ProxyNotShell mitigation bypass when the security firm was investigating Play ransomware intrusions, with the usual entry vector being Microsoft Exchange.
Exchange server is on common goal for hackers, with several exploits and attacks recorded recently.
A high profile attack on Rackspace removed Exchange service hosted by cloud providers, prompting customers to migrate to Microsoft 365 as a countermeasure.
A few days later Rackspace Confirmed that the cause of the outage was a ransomware attack by unnamed villains that forced the company’s support engineers to perform time-consuming data recovery processes for customers.
rackspace said it hired Crowdstrike to investigate the ransomware attack.
Crowdstrike said Exchange admins should apply Microsoft’s November patches to prevent exploitation because URL rewrite mitigations for ProxyNotShell aren’t effective.
Administrators who cannot patch their Exchange servers immediately should disable OWA as soon as possible and follow Microsoft’s recommendations to disable remote PowerShell for regular users whenever possible.
