A vulnerability that Microsoft patched in Exchange Server earlier this year can allow attackers to set forwarding rules on target accounts and gain access to incoming emails.
Tracked as CVE-2021-33766 and referred to as ProxyToken, the vulnerability has a severity rating of medium (CVSS score of 6.5). The security hole was identified by Le Xuan Tuyen of VNPT ISC, working with Trend Micro’s Zero Day Initiative (ZDI).
The security bug is related to the authentication of requests to services within the ecp web application and can be exploited using crafted requests to bypass authentication.
“With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users. As an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker,” ZDI’s Simon Zuckerbraun explains.
The issue exists because none of the sites that Exchange creates in IIS (one functioning as a front-end and the other as a back-end) authenticates specific requests when the Delegated Authentication feature is not enabled and a non-empty cookie named SecurityToken is employed.
“In summary, when the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request. Meanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie, since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature,” Zuckerbraun notes.
He also explains that unauthenticated requests may be issued as well, because if requests to a /ecp page don’t include an “ECP canary” ticket, an HTTP 500 response is returned, and a valid canary is included in the response.
An attacker with an account on the same Exchange server as the victim may exploit the vulnerability to set a forwarding rule that would allow them to read all the victim’s incoming mail. Provided that the Exchange administrator has set a global configuration value to allow the use of forwarding rules to arbitrary Internet destinations, no Exchange credentials are needed for the exploit.
“Furthermore, since the entire /ecp site is potentially affected, various other means of exploitation may be available as well,” Zuckerbraun says.
Microsoft informed users about the availability of patches for Exchange Server 2013, 2016 and 2019 with an advisory issued in July, but the actual fixes were released in April.
“This is an interesting security vulnerability, but because this requires an existing active account on Microsoft Exchange to begin with…this is not a huge external threat. It can be used as part of a chained exploit where the attacker has already gained access, and it can be used for spear phishing, eavesdropping and even escalation of privilege attacks…so it is not nothing. Anyone can think up some malicious attacks using it, if the initial access is already gained,” Roger Grimes, data driven defense evangelist at KnowBe4, said in an emailed comment.