Microsoft Exchange Server is a popular mail server, both with enterprises and attackers. As a compromise of Exchange leads to the exfiltration of confidential data, it has a long story of abuse and it is frequently targeted by nation-state actors.
This presentation describes both the history and the current state of Microsoft Exchange PowerShell Remoting abuse, which turns out to be one of the most problematic Exchange components ever. Although ProxyNotShell was patched in November 2022, my research shows how each patch could be bypassed. This means that even fully-patched Exchange Servers were vulnerable to remote code execution exploits for over a year.
During this talk, I’ll describe my research related to the Exchange PowerShell Remoting component and how I have been able to abuse it. I was able to use this component to achieve Remote Code Execution, Denial of Service, Arbitrary File Read, and NTLM Relaying. The research is primarily based on Exchange PowerShell Remoting deserialization/reflection capabilities. Most related security patches applied to this attack vector were based on the implementation and extension of allow and block lists of specific classes. My research shows that both of those lists can be abused, and Exchange includes multiple class types that can be abused in different ways.
This presentation delivers a deep dive into the Exchange PowerShell Remoting attack vector. I’ll provide examples by detailing almost a dozen vulnerabilities in Exchange Server, including CVE-2023-21529, CVE-2023-32031, CVE-2023-36745, CVE-2023-36756 and CVE-2023-36744. One of the Remote Code Execution chains demonstrated includes a vulnerability in one of Microsoft Windows utilities. I’ll also provide details on my methodology for Exchange gadget searching, which can be applied to your research. Finally, I’ll show how the latest security patches made the exploitation of this attack vector harder.
Piotr Bazyd?o is a vulnerability researcher at Trend Micro’s Zero Day Initiative (ZDI) program. His research is focused on high-level languages, such as C# and Java. In his current role, Piotr investigates and performs root cause analysis on hundreds of vulnerabilities submitted to the ZDI program, which is the world's largest vendor-agnostic bug bounty program. His research emphasis primarily involves complex vulnerabilities where either the original attack vectors are manipulated or intricate vulnerability chains must be prepared. His vulnerability disclosures include critical-rated bugs in Microsoft Exchange Server, Microsoft SharePoint and SolarWinds Orion Platform. He participated in the Pwn2Own Miami competition and was recognized as Microsoft Most Valuable Researcher.
