A Microsoft Exchange ProxyToken Bug May Allow Hackers to Steal User Emails
The Vulnerability Doesn’t Require Authentication to Access Emails From a Target Account.
A serious vulnerability in Microsoft Exchange Server dubbed as ProxyToken does not require authentication to access emails from a target account, therefore allowing an attacker to be able to exploit the vulnerability by crafting a request to web services within the Exchange Control Panel (ECP) application and in this manner steal messages from a victim’s inbox.
CVE-2021-33766, otherwise known as ProxyToken allows unauthenticated attackers to access the configuration options of the user mailboxes.
From this point on they can create an email forwarding rule, and as a result, the email messages that were initially intended for a specific user can be delivered to an account that the attacker has control over.
Le Xuan Tuye is the researcher that discovered the vulnerability and reported it through the Zero-Day Initiative (ZDI) program in March.
He works at the Information Security Center of Vietnam Posts and Telecommunications Group (VNPT-ISC) and discovered that the Microsoft Exchange’s frontend site (Outlook Web Access, Exchange Control Panel) is working mostly as a proxy for the backend site (Exchange Back End), to which it passes authentication requests.
As explained by the journalists at BleepingComputer, in the Microsoft Exchange deployments that are having the “Delegated Authentication” feature active, the frontend will forward the requests needing authentication to the backend, where they will be identified by the presence of a ‘SecurityToken’ cookie.
In summary, when the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request. Meanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature.
The ProxyToken exploit vulnerability is not complete, as another issue also exists. The requests for the /ecp page need a ticket is known as “ECP canary,” which can be obtained when triggering an HTTP 500 error, therefore the requests that do not have the ticket can trigger the HTTP 500 error that contains the valid string necessary for successfully issuing an unauthenticated request.
Microsoft released a patch to address this uncritical vulnerability back in July. Following the fact that to successfully perform an attack, the cybercriminal needs to have an account on the same Exchange server as the victims, the CVE in discussion received a severity score of 7.5 out of 10.
ProxyToken Exploit Attempts
Even of the technical details for ProxyToken have been released recently, a few exploit attempts have been already been recorded, with most of them happening on August 10th.
It’s important to note that if the administrators of Microsoft Exchange servers have not already installed the patches for ProxyToken, they should prioritize this task in order to remain safe.