ProxyNotShell
Chained CVE-2022-41040, CVE-2022-41082
Last updated
Was this helpful?
Chained CVE-2022-41040, CVE-2022-41082
Last updated
Was this helpful?
ProxyNotShell is identified with the following CVEs: CVE-2022–41040 and CVE-2022–41082. The vulnerabilities affect Microsoft Exchange on premises with an Outlook Web App.
CVE-2022-41040 : SSRF This vulnerability allow attackers to send an arbitrary request with a controlled URI and controlled data to an arbitrary backend service with LocalSystem privilege. (Request is very similar to the ProxyShell one)
CVE-2022-41082 : RCE By abusing CVE-2022-41040 authenticated users may exploit CVE-2022-41082 to run arbitrary commands in vulnerable Exchange Servers.
We can use the proxynotshell_checker.nse nmap script to scan a target
nmap -p80,443 --script="proxynotshell_checker.nse" $IP
443/tcp open https
|_proxynotshell_checker: Potentially vulnerable to ProxyNotShell (mitigation not applied).If we have local access to the target running exchange, we can check it version using the following powershell command:
#Method 1
PS> GCM exsetup |%{$_.Fileversioninfo}
#Method 2
PS> (Get-Command ExSetup.exe).FileVersionInfo.ProductVersion
ProductVersion FileVersion FileName
-------------- ----------- --------
15.02.0858.005 15.2.1118.20 C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetup.exeWe can now search for the exact Microsoft Exchange product version using this microsoft link. Following versions are vulnerable :
Exchange 2019 CU12
< 15.2.1118.20
Exchange 2019 CU11
< 15.2.986.36
Exchange 2016 CU23
< 15.1.2507.16
Exchange 2016 CU22
< 15.1.2375.33
Exchange 2013 CU23
< 15.0.1497.32
