[BreachExchange] 'ProxyToken' Exchange Server Vulnerability Leads to Email Compromise

[Sophia Kingsbury]

https://www.securityweek.com/proxytoken-exchange-server-vulnerability-leads-email-compromise

Tracked as CVE-2021-33766 and referred to as ProxyToken, the vulnerability
has a severity rating of medium (CVSS score of 6.5). The security hole was
identified by Le Xuan Tuyen of VNPT ISC, working with Trend Micro’s Zero
Day Initiative (ZDI).

The security bug is related to the authentication of requests to services
within the ecp web application and can be exploited using crafted requests
to bypass authentication.

“With this vulnerability, an unauthenticated attacker can perform
configuration actions on mailboxes belonging to arbitrary users. As an
illustration of the impact, this can be used to copy all emails addressed
to a target and account and forward them to an account controlled by the
attacker,” ZDI’s Simon Zuckerbraun explains.

The issue exists because none of the sites that Exchange creates in IIS
(one functioning as a front-end and the other as a back-end) authenticates
specific requests when the Delegated Authentication feature is not enabled
and a non-empty cookie named SecurityToken is employed.

“In summary, when the front end sees the SecurityToken cookie, it knows
that the back end alone is responsible for authenticating this request.
Meanwhile, the back end is completely unaware that it needs to authenticate
some incoming requests based upon the SecurityToken cookie, since the
DelegatedAuthModule is not loaded in installations that have not been
configured to use the special delegated authentication feature,”
Zuckerbraun notes.

He also explains that unauthenticated requests may be issued as well,
because if requests to a /ecp page don’t include an “ECP canary” ticket, an
HTTP 500 response is returned, and a valid canary is included in the
response.

An attacker with an account on the same Exchange server as the victim may
exploit the vulnerability to set a forwarding rule that would allow them to
read all the victim’s incoming mail. Provided that the Exchange
administrator has set a global configuration value to allow the use of
forwarding rules to arbitrary Internet destinations, no Exchange
credentials are needed for the exploit.

“Furthermore, since the entire /ecp site is potentially affected, various
other means of exploitation may be available as well,” Zuckerbraun says.

Microsoft informed users about the availability of patches for Exchange
Server 2013, 2016 and 2019 with an advisory issued in July, but some
believe the actual fixes may have been released sooner.

“This is an interesting security vulnerability, but because this requires
an existing active account on Microsoft Exchange to begin with...this is
not a huge external threat. It can be used as part of a chained exploit
where the attacker has already gained access, and it can be used for spear
phishing, eavesdropping and even escalation of privilege attacks...so it is
not nothing. Anyone can think up some malicious attacks using it, if the
initial access is already gained,” Roger Grimes, data driven defense
evangelist at KnowBe4, said in an emailed comment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210831/ef818473/attachment.html>