Researcher Published PoC Exploit for ProxyLogon Vulnerabilities in Microsoft Exchange

PoC exploit for ProxyLogon vulnerabilities

An independent information security researcher from Vietnam has presented a PoC exploit for ProxyLogon vulnerabilities in Microsoft Exchange, whose viability has already been confirmed by such well-known experts.

Last week, Microsoft engineers released unscheduled patches for four vulnerabilities in the Exchange mail server. Four patches united by the name ProxyLogon.

In fact, these vulnerabilities can be chained together, and their exploitation would allow an attacker to authenticate on the Exchange server, gain administrator rights, install malware, and steal data.

Many information security companies have warned of massive attacks on this chain of vulnerabilities. At first, ProxyLogon was exploited only by the Chinese hacker group Hafnium, but when information about the problems was published publicly, other attackers joined the case.

According to ESET analysts, at least ten hack groups are currently using ProxyLogon bugs to install backdoors on Exchange servers around the world.

PoC exploit for ProxyLogon vulnerabilities
Timeline of ProxyLogon attacks by Microsoft

What is worse, researchers at the Dutch non-profit organization DIVD scanned the Internet for vulnerable Microsoft Exchange servers and concluded that quite a few of the 250,000 available servers are still unsecured and running without patches. As a result of the audit, the researchers and volunteers assisting them tried to alert vulnerable companies and organizations of the problems by contacting local CERTs, providers, and company representatives directly.

The DIVDnl scanned over 250K Exchange servers. Sent over 46k emails to the owners. The amount of vulnerable servers is going down. The number of compromised systems is going up. More organizations start investigating their systems for Hafnium exploits.Victor Gevers, researcher at GDI.foundation and Chair of DIVD.NL, writes.

Several PoC exploits have been posted on GitHub since the vulnerability was disclosed, but most of them turned out to be trolling or didn’t work as expected.

Now an independent cybersecurity researcher from Vietnam has presented a real PoC exploit, whose performance has already been confirmed by such well-known experts as Markus Hutchins from Kryptos Logic, Daniel Card from PwnDefend and John Whittington from Condition Black.

I’ve confirmed there is a public PoC floating around for the full RCE exploit chain. It’s has a couple bugs but with some fixes, I was able to get a shell on my test box.Marcus Hutchins wrote in his Twitter.

PoC combines the vulnerabilities CVE-2021-26855 and CVE-2021-27065 to authenticate to the Exchange server and then launch malicious code. Hutchins writes that the code provided by the researcher cannot be used out of the box, but it can be easily modified to become a full-fledged RCE tool.

It is also worth noting that Praetorian recently released a detailed overview of ProxyLogin vulnerabilities, although it refrained from publishing its own exploit. However, many researchers criticized this report because, in their opinion, it would only speed up the development of exploits, which would attract even more attackers to attacks.

Let me also remind you that Hackers attacked Microsoft Exchange servers of the European Banking Authority.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *