Security researcher Le Xuan Tuyen discovered a Microsoft Exchange server bug that allows threat actors to access user’s emails through an authentication bypass flaw.
Dubbed ProxyToken, CVE-2021-33766 allows an attacker to modify email forwarding rules to copy all emails addressed to a target to an account controlled by the attacker.
The bug originates from the way Microsoft Exchange servers handle authentication between the frontend and backend systems through delegated authentication.
ProxyToken is the latest bug plaguing the Microsoft Exchange email server after the ProxyShell vulnerability used to deploy LockFile ransomware.
Exchange Servers vulnerable from Delegated Authentication bypass flaw
The security researcher noted that Microsoft Exchange servers use two websites to render emails. The frontend consists of Outlook Web Access (OWA) and Exchange Control Panel (ECP). The default website listens to ports 80 for HTTP and 443 for HTTPS.
For requests that require forms authentication, the frontend loads authentication forms like /owa/auth/logon.aspx. Clients also connect to the frontend using web services. However, the front-end acts as a proxy for repackaging requests and sending them to the backend, and forwarding responses to the clients.
The backend site called the “Exchange Back End” listens to ports 81 for HTTP and 444 for HTTPS. To trigger the vulnerability, an attacker sends authentication requests containing a non-empty SecurityToken cookie through the /ecp route. When the front end finds this token, it understands that the backend is solely responsible for authentication and forwards the request. However, the backend must be configured to perform authentication checks, but the DelegatedAuthModule is not loaded in the Exchange Server’s default configuration. Thus, the backend doesn’t know that it needs to authenticate incoming requests based on this SecurityToken, according to the Zero Day Initiative (ZDI) blog post.
An attacker also needs the “ECP canary” ticket that can be obtained by triggering an HTTP 500 error that contains a valid string necessary for unauthenticated requests.
The net result is that requests initiated through this process are not subjected to authentication from either the front end or the backend.
Authentication bypass allows attackers to configure actions on victim’s mailbox
Consequently, the attacker can perform arbitrary configuration actions on the victim’s mailbox, including copying all emails and forwarding them to their mailboxes on the same server. This process would require authentication and the attacker being located on the Exchange server.
However, if the Exchange servers’ administrator allows forwarding to external email addresses, the attacker does not require authentication. Based on these conditions, ProxyToken authentication bypass vulnerability scored 7.3 on the CVSS scale.
Microsoft released patches for the Exchange server authentication bypass vulnerability in the July 2021 cumulative updates. However, a fix was already available in the March 2021 security updates.
“This is an interesting security vulnerability, but because this requires an existing active account on Microsoft Exchange to begin with … this is not a huge external threat,” Roger Grimes, data-driven defense evangelist at KnowBe4, said. “It can be used as part of a chained exploit where the attacker has already gained access, and it can be used for spear phishing, eavesdropping, and even escalation of privilege attacks … so it is not nothing.
“Anyone can think up some malicious attacks using it if the initial access is already gained. We most likely will not see a lot of illegal abuse of it. Still, good find for the discoverer and it is a good thing that there is already a patch for it.”
Threat actors exploiting ProxyToken authentication bypass vulnerability in the wild
Attempts to exploit vulnerable Exchange servers have been detected in the wild before Microsoft released patches.
According to NCC Group researcher Rick Warren, threat actors attempted to trigger authentication bypass vulnerability on Exchange servers since August 10, three weeks before the bug was disclosed. However, Microsoft Security Response Center (MSRC) listed the authentication bypass vulnerability as not publicly exploited and less likely to be exploited.
The researchers noted that Microsoft Exchange servers remained a fertile area for bug hunting. They attributed its vulnerability to rich featureset and complex architecture. As the researchers posited, the authentication bypass vulnerability is hardly the last security flaw to affect Microsoft Exchange servers.