A security researcher has released proof-of-concept (PoC) exploit code for Microsoft Exchange ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082).
Microsoft patched ProxyNotShell as part of their November’s Patch Tuesday after the software giant previously released a security advisory for the two zero-day Exchange vulnerabilities on September 30, 2022.
“In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability,” Microsoft wrote in a blog post.
On November 16, 2022, security researcher Janggggg sent out a tweet about the ProxyNotShell PoC exploit script:
As released on GitHub, Janggggg published the PoC script and exploit details revealed by Zero Day Initiative (ZDI).
“It is a beautiful chain, with an ingenious vector for gaining remote code execution. The tricky part is that it can be exploited in multiple ways, making both mitigation and detection harder,” Piotr Bazydło from ZDI wrote in a blog post.
The chained exploit was originally submitted by researcher known as “DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q from GTSC” to the ZDI program. The bugs were then shortly submitted to Microsoft after validation.
The first ProxyNotShell vulnerability (CVE-2022-42040), was similar to a ProxyShell Path Confusion vulnerability (CVE-2021-34473) in Microsoft Exchange previously discovered by Orange Tsai during the Pwn2Own Vancouver 2021 contest.
Although CVE-2021-34473 was patched by Microsoft in July 2021, the underlying root cause was not addressed, but was rather restricted to unauthenticated users. As a result, authenticated users could still abuse the issue by using Basic or NTLM authentication.
- Microsoft update for Microsoft Exchange Server zero-day ProxyNotShell vulnerabilities
- Microsoft November 2022 Security Updates addresses 65 vulnerabilities (6 zero-days to include ProxyNotShell)
- Microsoft releases out-of-band patch for Endpoint Configuration Manager
- Threat actor deploys malicious OAuth apps on compromised cloud tenants to spread spam
- Microsoft issues emergency Exchange server patch