New Exploit OWASSRF Bypasses ProxyNotShell Mitigations
Category: Vulnerability | Industry: Global | Level: Tactical | Source: CrowdStrike
The urgency to apply Microsoft's November 8th, 2022, patches increased as CrowdStrike researchers identified new exploitation method OWASSRF using CVEs, CVE-2022-41080 for Microsoft Exchange Server privilege escalation and CVE-2022-41082 enabling remote code execution. "The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell." CrowdStrike's discovery came during an investigation of Play ransomware intrusion with initial signs appearing as an exploitation of ProxyNotShell using CVE-2022-41040 and CVE-2022-41082. However, upon further analysis the server-side request forgery vulnerability (CVE-2022-41040) was absent, leading CrowdStrike to research a new exploit path leading to the new OWASSRF exploitation method.
The first stage of an OWASSRF exploit comes from using remote PowerShell commands to log into a mailbox OWA URL. "This request seemed to show a novel, previously undocumented, way to reach the PowerShell remoting service through the OWA frontend endpoint, instead of leveraging the Autodiscover endpoint." Following initial access, threat actors were observed using remote access tools for command and control and Mimikatz for credential access. While CrowdStrike was in the process of developing proof-of-concept (POC) code, a leaked POC was found as a python script discovered in an attacker's repository replicated the results of logs CrowdStrike reviewed during the Play ransomware intrusion. To emphasize, organizations are advised to apply the patches from November 2022 to mitigate against the OWASSRF exploit. "CrowdStrike researchers replicated the exploit method attack on Exchange systems that had not received the November 8, 2022 patch KB5019758, but could not replicate the attack on systems that had received that patch."
- BITSadmin Abuse for Host Compromise
Anvilogic Use Cases:
- POST request powershell
- BITSadmin Execution
- Remote Access Software Execution