A new proof-of-concept exploit was launched by a security researcher this weekend. The PoC requires slight modification to install web shells on Microsoft Exchange servers that are vulnerable to the actively exploited ProxyLogon vulnerabilities.

Earlier this month Microsoft disclosed a few zero-day vulnerabilities chained together that can gain access to Microsoft Exchange servers, steal email, and plant further malware for increased access to the network, since then administrators and security researchers have been scrambling to protect vulnerable servers exposed on the Internet.

Nguyen Jang published a video post showing a proof of concept (PoC) exploit for the Microsoft Exchange ProxyLogon vulnerability. 

Firstly, the PoC I gave can not run correctly. It will be crashed with many of errors. Just for trolling the reader.

Source

Even if the PoC was not able to run correctly, and therefore create real damage, it offered enough information to the security researchers and threat actors, that they could use to develop a functional remote code execution exploit for Microsoft Exchange servers.

After publishing the PoC, Microsoft reached out to Jang and informed him that the PoC was being taken down because was violating Acceptable Use Policies.

GitHub declared they took down the PoC to protect devices that are being actively exploited.

We understand that the publication and distribution of proof of concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe. In accordance with our Acceptable Use Policies, GitHub disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited.

Source

Jang wasn’t the only one that published a new ProxyLogon PoC, that with very little modification can be used to exploit a vulnerable Microsoft Exchange server and drop a web shell on it.

Will Dorman, tested the vulnerability on a Microsoft exchange server, using the exploit against a Microsoft Exchange server and remotely installed a web shell, and executed the ‘whoami’ command, saying that the PoC it’s within the reach of “script kiddie” now.  

Source

A senior analyst, Didier Stevens, declared that new information in the PoC released this weekend enabled him to get Jang’s PoC working to achieve successful remote code execution against his Microsoft Exchange server, he also agreed with Dorman’s opinion that the information disclosed in the new PoC would make it easier for less-skilled threat actors, known as ‘Script Kiddies,’ to create a working ProxyLogon exploit.

On the 8th of March Microsoft released additional security updates for older versions of Microsoft Exchange, which now cover 95% of the servers exposed on the Internet.

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP