ProxyNotShell: CVE-2022-41040 and CVE-2022-41082 Exploits Explained

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On September 30, 2022, Microsoft issued two vulnerabilities affecting Windows Exchange email servers. In a similar fashion to its predecessor, these vulnerabilities are named ProxyNotShell vulnerabilities. ProxyNotShell vulnerabilities are exploited by adversaries for remote code execution (RCE) in vulnerable Exchange servers in the wild. The victim statistics show that exploited Exchange servers were up-to-date and patched against ProxyShell vulnerabilities. 

At the time of discovery, the ProxyNotShell vulnerabilities affected the latest versions of the Exchange server, and security professionals opted not to release a proof-of-concept for the vulnerabilities to limit their abuse. Microsoft patched Exchange Server on November 8, 2022, and organizations are advised to install the updates.

Picus Labs added new attack simulations for ProxyNotShell vulnerability exploitation attacks to Picus Threat Library. In this blog, we explain CVE-2022-41040 and CVE-2022-41082 vulnerabilities in detail.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

What Is ProxyNotShell?

ProxyNotShell, like its predecessor ProxyShell, is not a single vulnerability but rather a collection of vulnerabilities that can be chained to gain control of Microsoft Exchange email servers. Since they affect the latest versions of Exchange Servers, the ProxyNotShell vulnerabilities are considered zero-day vulnerabilities.

CVE-2022–41040: The first one is a Server-Side Request Forgery (SSRF) vulnerability. This vulnerability allows an authenticated adversary to remotely trigger the second vulnerability, CVE-2022–41082.

CVE-2022–41082: This vulnerability allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.

Since the exploitation of the CVE-2022–41040 and CVE-2022–41082 follows the same attack flow and SSRF/RCE pair that adversaries leverage to exploit ProxyShell exploits but requires authenticated access to the Exchange Server, Kevin Beaumont named this chain of vulnerabilities ProxyNotShell, after its predecessors. 

On November 8, 2022, Microsoft released updates for Exchange Server, and organizations are advised to update their Exchange Servers to the latest version.

What Was ProxyShell?

ProxyShell is the collective name for three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) affecting the unpatched and on-premise versions of Microsoft Exchange servers only. When these vulnerabilities are chained together, it enables adversaries to perform pre-authenticated remote code execution (RCE). 

These vulnerabilities lie in the Microsoft Client Access Service (CAS) in the IIS web server. Unfortunately, due to its nature, CAS is publicly exposed to the Internet to enable users to access their email via their mobile devices and web browsers. This exposure helped attackers remotely execute arbitrary code on the compromised system, similar to HAFNIUM APT campaigns.

Even though Microsoft released and issued patches for each vulnerability in May-July 2021, we still see that threat actors like Hive Ransomware Gang are exploiting the three ProxyShell vulnerabilities in unpatched Microsoft Exchange Servers. Considering that two of the ProxyShell vulnerabilities have a CVSS score of 9.8 (Critical) and many unpatched on-premise Windows Exchange Servers, it is no surprise that adversaries keep targeting these vulnerabilities. Please visit our blog on simulation and preventing ProxyShell exploits for further information.

Technical Details of ProxyNotShell

The first vulnerability in the ProxyNotShell exploitation chain is CVE-2022–41040, and it is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability found in the Exchange Autodiscover frontend. It has a CVSS score of 8.8 (High). Adversaries exploit the CVE-2022-41040 vulnerability to send an arbitrary request with a controlled URI and controlled data to an arbitrary backend service with LocalSystem privilege.

GET /autodiscover/autodiscover.json?@zdi/PowerShell?serializationLevel=Full;ExchClientVer=15.2.922.7;clientApplication=ManagementShell;TargetServer=;PSVersion=5.1.17763.592&Email=autodiscover/autodiscover.json%3F@zdi HTTP/1.1
Host: 192.168.1.10
Authorization: Basic cG9jdXNlcjpwb2NwYXNzd2QK
Connection: close

Example 1: CVE-2022-41040 exploit PoC [1]

The second vulnerability in the ProxyNotShell chain is CVE-2022-41082, and it is a remote code execution vulnerability found in the Exchange PowerShell backend. It has a CVSS score of 8.8 (High). After bypassing authentication by abusing CVE-2022-41040, adversaries exploit CVE-2022-41082 to run arbitrary commands in vulnerable Exchange Servers.

Security professionals discovered these vulnerabilities after their successful exploitation in the wild. The log data shows that adversaries used the same format ProxyShell exploitation in 2021 in their exploit attempts.

Example 2: IIS logs of a successful exploit of ProxyShell vulnerabilities in 2021

After successful exploitation, adversaries insert a backdoor into Exchange servers to establish persistence and move on with lateral movement techniques to accomplish their objectives.

How Picus Helps Simulate ProxyNotShell Attacks?

We also strongly suggest simulating ProxyNotShell attacks to test the effectiveness of your security controls against vulnerability exploitation attacks using the Picus Complete Security Validation Platform. You can test your defenses against ProxyShell, Log4Shell, and hundreds of other vulnerabilities within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for ProxyNotShell and other Microsoft Exchange vulnerabilities:

Threat ID

Threat Name

Attack Module

23704

Microsoft Exchange Server ProxyNotShell Web Attack Campaign

  • Microsoft Exchange Server Remote Code Execution in PowerShell Backend Vulnerability Variant-1
    • Action ID: 588633
  • Microsoft Exchange Server Remote Code Execution in PowerShell Backend (OWASSRF) Vulnerability Variant-2
    • Action ID: 704113

Web Application

24723

Microsoft Exchange Web Attack Campaign

Web Application

Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware attacks in preventive security controls. Currently, Picus Labs validated the following signatures:

Security Control

Signature ID

Signature Name

Check PointNGFW

asm_dynamic_prop_CVE_2022_41080

Microsoft Exchange Server Server-Side Request Forgery (CVE-2022-41080)

Check Point NGFW

asm_dynamic_prop_CVE_2022_41082

Microsoft Exchange Server Remote Code Execution (CVE-2022-41082) 

Cisco Firepower NGFW

1.61042.1

SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt

Fortigate IPS

50584

web_app3: MS.Exchange.Server.Autodiscover.Remote.Code.Execution 

Fortigate IPS

52448

web_app3: MS.Exchange.Server.OWA.Remote.Code.Execution

Snort IPS

1.2039065.2

ET EXPLOIT Microsoft Exchange Remote Code Execution Attempt (CVE-2022-41040, CVE-2022-41082)

Snort IPS

1.61042.1

SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt

Tipping Point TPS

41776

HTTP: Microsoft Exchange PowerShell Insecure Deserialization Vulnerability (ZDI-22-1624)


Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus Complete Security Validation Platform.

References

[1] P. Bazydło, "Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell Backend," Zero Day Initiative, Nov. 16, 2022. [Online]. Available: https://www.thezdi.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend. [Accessed: Nov. 18, 2022]