Reproducing The ProxyShell Pwn2Own Exploit

INTRO

https://www.zerodayinitiative.com/advisories/published/
  1. pre-auth SSRF
  2. somehow we can SSRF to /powershell endpoint
  3. finally calling cmdlets for post-auth RCE

ProxyLogon revisited

ProxyLogon entry
ProxyRequestHandler.GetTargetBackEndServerUrl()

Autodiscover Pre-auth SSRF

Microsoft.Exchange.HttpProxy.AutodiscoverProxyRequestHandler
AutodiscoverProxyRequestHandler 
=> implement EwsAutodiscoverProxyRequestHandler
=> implement BEServerCookieProxyRequestHandler
=> implement ProxyRequestHandler
ProxyModule.SelectHandlerForUnauthenticatedRequest()
ProxyRequestHandler.GetTargetBackEndServerUrl()
checking FQDN after ProxyLogon
EwsAutodiscoverProxyRequestHandler.GetClientUrlForProxy()
  1. We want to reach the if statement so IsAutodiscoverV2Request() must return False and IsAutodiscoverV2PreviewRequest() return False also
Focus that this is AbsoluteUri not AbsolutePath
So it is /autodiscover/autodiscover.json + dummy string
PrepareServerRequest()
SSRF with system privilege

Pre-auth SSRF into /powershell

We don’t have permission on this endpoint :(
Powershell-Proxy IIS modules
BackendRehydrationModule.OnAuthenticateRequest()
BackendRehydrationModule.ProcessRequest()
some blacklist cookies Exchange won’t copy to internal
fetch CommonAccessToken from “X-Rps-CAT”
deserialize “X-Rps-CAT” into CommonAccessToken
V + version + T + type + C + compress + data
if compress => decompress then if type is Windows
WindowsAccessToken
A + authenType + L + logonName + U + user SUID
read group SUIDs
G + groupLength + SUIDs of group
https://docs.microsoft.com/en-us/exchange/architecture/mailbox-servers/recreate-arbitration-mailboxes?view=exchserver-2019
  1. SSRF to “/autodiscover/autodiscover.xml”
  2. Leaking user SUID via “/mapi/emsmdb”
Get-Group | Format-List Identity,Sid

New-MailboxExportRequest arbitrary file write

https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps
https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf?fbclid=IwAR2V0-4k2yb8dmPP5Mksd8iHYTOfE6sBwygMt4wjq3M9be8Tw6TlH0andhA
https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-pst/5faf4800-645d-49d1-9457-2ac40eb467bd

Channing all together

Our demonstration:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store