Home News Microsoft Exchange ProxyToken bug can let hackers steal user email

    Microsoft Exchange ProxyToken bug can let hackers steal user email


    Technical particulars have emerged on a severe vulnerability in Microsoft Alternate Server dubbed ProxyToken that doesn’t require authentication to entry emails from a goal account.

    An attacker can exploit the vulnerability by crafting a request to internet companies inside the Alternate Management Panel (ECP) utility and steal messages from a sufferer’s inbox.

    Delegation confusion

    Tracked as CVE-2021-33766, ProxyToken offers unauthenticated attackers entry to the configuration choices of person mailboxes, the place they’ll outline an e-mail forwarding rule.

    In consequence, e-mail messages supposed for a goal person can be delivered to an account that the attacker controls.

    The bug was found by Le Xuan Tuyen, a researcher on the Data Safety Middle of Vietnam Posts and Telecommunications Group (VNPT-ISC) and reported via the Zero-Day Initiative (ZDI) program in March.

    He discovered that Microsoft Alternate’s frontend web site (Outlook Net Entry, Alternate Management Panel) capabilities largely as a proxy for the backend web site (Alternate Again Finish), to which it passes authentication requests.

    In Microsoft Alternate deployments the place the “Delegated Authentication” characteristic is lively, the frontend forwards the requests that want authentication to the backend, which identifies them by the presence of a ‘SecurityToken’ cookie.

    'SecurityToken' cookie necessary to exploit ProxyToken vulnerability in Microsoft Exchange Server
    supply: ZDI

    When there’s a non-empty ‘SecurityToken’ cookie in a request inside ‘/ecp’, the frontend delegates the authentication determination to the backend.

    Nevertheless, the default configuration of Microsoft Alternate doesn’t load for the backend ECP web site the module answerable for delegating the validation course of (DelegatedAuthModule).

    “In abstract, when the entrance finish sees the SecurityToken cookie, it is aware of that the again finish alone is answerable for authenticating this request. In the meantime, the again finish is totally unaware that it must authenticate some incoming requests primarily based upon the SecurityToken cookie for the reason that DelegatedAuthModule will not be loaded in installations that haven’t been configured to make use of the particular delegated authentication characteristic” – Zero-Day Initiative

    Exploiting the ProxyToken vulnerability will not be full with out one other difficulty, albeit a minor one: requests for the /ecp web page want a ticket often known as “ECP canary,” which will be obtained when triggering an HTTP 500 error.

    Because it seems, requests with out the ticket set off the HTTP 500 error that accommodates the legitimate string crucial for efficiently issuing an unauthenticated request.

    ECP canary string to exploit ProxyToken vulnerability in Microsoft Exchange Server
    supply: ZDI

    A patch has been out there from Microsoft since July, in response to the corporate’s public advisory. Rapid7’s Tom Sellers notes that model numbers and dates point out that the patches had been launched as early as April, although.

    The vulnerability will not be vital. NIST calculated its severity rating at 7.5 out of 10. It’s because an attacker wants an account on the identical Alternate server because the sufferer.

    For example, a request from an attacker seems to be like this:

    HTTP request to trigger ProxyToken vulnerability in Microsoft Exchange Server

    In a blog post at present, the Zero-Day Initiative notes that some Alternate server directors set a worldwide configuration worth that allows creating an e-mail forwarding rule to an arbitrary vacation spot. In such circumstances, the attacker wants no credentials.

    Exploit makes an attempt

    Though technical particulars for ProxyToken have been launched solely at present, exploit makes an attempt have been recorded as early as three weeks in the past.

    Based on Rich Warren, crimson teamer for NCC Group, he noticed a bigger variety of exploitation makes an attempt on August 10.

    As within the case of ProxyShell vulnerabilities, if directors of Microsoft Alternate servers haven’t put in the patches for ProxyToken, they need to prioritize the duty.

    Source link