Infiltr8 Forum GitHub

ProxyNotShell

Chained CVE-2022-41040, CVE-2022-41082

Theory

ProxyNotShell is identified with the following CVEs: CVE-2022–41040 and CVE-2022–41082. The vulnerabilities affect Microsoft Exchange on premises with an Outlook Web App.

CVE-2022-41040 : SSRF This vulnerability allow attackers to send an arbitrary request with a controlled URI and controlled data to an arbitrary backend service with LocalSystem privilege. (Request is very similar to the ProxyShell one)

CVE-2022-41082 : RCE By abusing CVE-2022-41040 authenticated users may exploit CVE-2022-41082 to run arbitrary commands in vulnerable Exchange Servers.

Practice

We can use the proxynotshell_checker.nse nmap script to scan a target

nmap -p80,443 --script="proxynotshell_checker.nse" $IP

443/tcp open  https
    |_proxynotshell_checker: Potentially vulnerable to ProxyNotShell (mitigation not applied).

If we have local access to the target running exchange, we can check it version using the following powershell command:

#Method 1
PS> GCM exsetup |%{$_.Fileversioninfo}

#Method 2
PS> (Get-Command ExSetup.exe).FileVersionInfo.ProductVersion

ProductVersion   FileVersion      FileName                                                                             
--------------   -----------      --------                                                                             
15.02.0858.005   15.2.1118.20   C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetup.exe

We can now search for the exact Microsoft Exchange product version using this microsoft link. Following versions are vulnerable :

VersionVulnerable ProductVersion

Exchange 2019 CU12

< 15.2.1118.20

Exchange 2019 CU11

< 15.2.986.36

Exchange 2016 CU23

< 15.1.2507.16

Exchange 2016 CU22

< 15.1.2375.33

Exchange 2013 CU23

< 15.0.1497.32

All versions before November 8, 2022 are vulnerable

Resources

Last updated