Microsoft Exchange Server Flaw Let Remote Attackers Access Sensitive Information

ProxyToken, a serious security vulnerability has been detected in the Microsoft Exchange Server by the security analysts.

ProxyToken vulnerability could enable unauthenticated threat actors to access and steal emails from a victim mailbox.

The threat actors are using this vulnerability as a weapon to implement the attack, and this issue is tracked as CVE-2021-33766 and it has a CVSS score: 7.3. 

However, the “ProxyToken,” vulnerability was initially discovered by a researcher, Le Xuan Tuyen of Vietnam Posts and Telecommunications Group Information Security Center (VNPT-ISC).

According to the report, in March 2021, Le Xuan Tuyen has reported about this vulnerability through the Zero-Day Initiative (ZDI) program. But it was patched by Microsoft in the July 2021 Exchange cumulative updates.

Flaw profile

  • CVE ID: CVE-2021-33766
  • CVSS SCORE: 6.5
  • AFFECTED VENDORS: Microsoft
  • AFFECTED PRODUCTS: Exchange
  • VULNERABILITY: Microsoft Exchange Server ECP Authentication Bypass Information Disclosure Vulnerability
  • DISCLOSURE TIMELINE:-
  • 2021-04-05 – Vulnerability reported to the vendor
  • 2021-07-15 – Coordinated public release of advisory

The Trigger 

After investigating the vulnerability the authorities stated that there is some essential HTTP traffic that is needed to trigger this vulnerability, and here it is mentioned below:-

Root Cause 

It is very important to know each and every detail of the vulnerability and to know what exactly had happened the specialists have to know all regarding the server.

As per the finding, Microsoft Exchange produces two sites in IIS, here, the first one is the default website that is the “Front End”, which generally receives on ports 80 for HTTP and 443 for HTTPS. 

The front-end website is often used as a proxy to the back end, and it enables access that needs forms authentication, the front end serves pages such as /owa/auth/logon.aspx.

However, the clients generally connect with this site for web access (OWA, ECP) and for externally coating web services. Whereas the other site has been named as “Exchange Back End” and listens on ports 81 for HTTP and 444 for HTTPS.

Bagging a Canary 

An additional hurdle needs to clear so that an unauthenticated request can be issued, that’s why they explained that all the request to an /ecp page is expected to have a ticket perceived as the “ECP canary.”

The security analysts also claimed that without a canary, the application will come back with an HTTP 500. Still, the threat actor can implement its operation as the 500 error response is being attended by a valid canary:-

After performing all the procedures the final request would look like this:-

The threat actors generally target the Exchange server because it is an amazingly fertile area for vulnerability research. Therefore, the experts are trying to find the details of this vulnerability, and they also stated that they will keep a regular check so that they can identify further such vulnerability.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.