CVE-2022–41040: ProxyNotShell Exchange Vulnerability
Written by: anshul vyas
What is ProxyNotShell Attack?
This critical vulnerability named ProxyNotShell was discovered in Microsoft’s exchange server and was put in the category of Server-Side Request Forgery (SSRF) with the CVE-2022–41040 (CVSSv3 score of 6.3) along with this there is another vulnerability categorized as remote code
execution (RCE) with the CVE-2022–41082 (CVSSv3 score of 8.8)
Where was it Found?
As it was mentioned earlier It was found in the Microsoft Exchange server On September 29, 2022, Microsoft confirmed reports of adversaries exploiting two zero-day vulnerabilities that affect Microsoft Exchange service In August 2021, around 1,900 Microsoft Exchange Servers
were known to have been hacked. There were many organizations affected by ProxyShell attacks including Constructions, food processors, industrial machinery, repair shops, a small residential airport, and more, as said by Kyle Hanslovan, CEO of Huntress Labs.
What all can it do?
By exploiting this vulnerability any attacker with malicious content can do the remote code execution and plant ransomware and can get access to critical files available on the Exchange mail server, unlike other remote code execution vulnerabilities it was easy to exploit. For organizations who want to find out the degree of exposure to ProxyNotShell they face, Cymulate Research Lab has developed a custom ProxyNotShell assessment that can be used to estimate exposure.
Ways to Exploit it
Before exploiting you have to know that there are a lot of fake people selling ProxyNotShell vulnerability exploits beware of them, coming to the exploit you can use the Nmap script engine (NSE) to exploit this critical vulnerability command for exploiting is
nmap --script proxyshell.nse ip/subnet -p 443
Or you can use Metasploit to exploit this
You have to simply search proxy shell in msfconsole then use the number 0 exploit to choose the exploit after that use the command show options then put the values then type exploit to execute the payload
Patching this Vulnerability
In spite of the fact that Microsoft has not yet made an official announcement regarding this vulnerability, they suggest you use third-party web-based protection or Web Application Firewall (WAF) products to implement the recommended URL filters and blocks. And you can also limit outgoing connection or on an outgoing proxy to limit suspicious web requests.
Facts
● Requires authenticated access to the Exchange server
● Only affects on-premise Exchange servers (2013/2016/2019)
● No patch is available at the moment
● Web shells are being dropped by adversaries by chaining the two zero-days
● Microsoft observed attacks in fewer than 10 organizations globally
