ProxyShell: Deep Dive into the Exchange Vulnerabilities

ProxyShell is a new attack surface on Microsoft Exchange server discussed back in 2021 Black Hat USA conference [1]. According to Unit 42 analysis [3] by Palo Alto, ProxyShell was used 55% of the time out of the 6 CVEs which were most exploited for Initial Access (Image below). Due to the popularity of Exchange and the fact that attackers are exploiting it the most, CISA has added ProxyShell to the 2021 Top Routinely Exploited Vulnerabilities [2] list.

Exploitation of ProxyShell is easy and it gives the attacker a shell running as Windows NT Authority user. Thus, it is worth to revisit the ProxyShell vulnerability and analyse how the vulnerability works.

Vulnerabilities Involved

ProxyShell works by chaining 3 CVEs which are mentioned below –


This is a server-side request forgery (SSRF) vulnerability that means the attacker can force the vulnerable server to make requests to internal resources on his behalf. No authentication is needed in this case since the requests are made by the endpoints to the backend servers, so trust is already there. The vulnerability occurs due to a path confusion issue where the URI is parsed incorrectly.

To exploit, the URI needs to be of the following format -
/Autodiscover/autodiscover.json? with Email=Autodiscover/autodiscover.json? provided as a cookie.

Here /mapi/nspi is the URI that is queried to the backend server and can be replaced by some other URIs which can do a variety of function for us.
This vulnerability enables the attacker to execute the other 2 CVEs by sending their payload to the backend server which normally requires authentication. The requests are made as NT Authority/System user which has the highest privilege in Windows. We will mention this CVE as the SSRF vulnerability in the rest of the blog.


Using the SSRF vulnerability, we can access the PowerShell remoting agent of Exchange which is available at /PowerShell/. This is a very restrictive PowerShell environments that permits only certain PowerShell cmdlets [4] enabling the automation of Exchange tasks. Although the sent requests use the System user, we can’t use that with this PowerShell endpoint as there is no mailbox belonging to that user. So, we need to be one of the users of Exchange, e.g. Exchange Admin. That is what this CVE-2021-34523 enables us to do. Due to this vulnerability an access token provided as the X-Rps-CAT parameter in the query is deserialized and added as X-CommonAccessToken header in the final request which lets the attacker impersonate that user.


This vulnerability lets an attacker export mailbox content to a path and extension of their choosing when it should only be letting them export in certain mail extensions. So, an attacker can save a WebShell embedded mail as draft by using the SSRF vulnerability and then export it using the cmdlet New-MailboxExportRequest in .NET formats like Active Server Pages (ASPX) in appropriate directories using this vulnerability and get code executed through that.

Proof Of Concept

There are a bunch of publicly available POCs in GitHub [5] as well as a Metasploit module [6]. Executing them requires a vulnerable environment setup.

Vulnerable Environment Setup


We will use the Metasploit module that is available. Metasploit is a framework which comes pre-installed in distros like Kali Linux. It can also be installed in other Linux distros (instructions here [10]).

Here are the steps to exploit using Metasploit.

We see that lot of things happened before we got the shell, we will break it down. As, when possible, I will try to replicate the requests sent via the Metasploit module using the curl command for better understanding and visibility.


The following flowchart summarizes the steps discussed above and mentions the vulnerability exploited in each step :\


Microsoft has released patches for ProxyShell back in May 21 as part of Windows Updates, so be sure to update your system to be protected against the vulnerabilities.
You can also use the Keysight test platforms with ATI subscription to safeguard your network against such attacks. Keysight Threat Simulator or BreakingPoint products can help you assess your network security controls and determine whether you can be protected before the patch. This kind of assessment is valuable as it can let you know if you have protection during the time before a change management window will open.

Leverage subscription service to stay ahead of attacks

Keysight's Application and Threat Intelligence (ATI) Subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously checks threats as they appear in the wild and has coverage for all the 3 CVEs in ProxyShell with multiple variations of the attack (as part of releases 2022-17 and 2022-18) to help keep your network secure. More information is present here.

The following images shows screenshots of the 3 CVEs as a strike in BreakingPoint System:


[1]\ [2]\ [3]\ [4]\ [5]\ [6]\ [7]
[8]\ [9]\_data\_protector-jA0g.html\ [10]