Security News > 2021 > March > New PoC for Microsoft Exchange bugs puts attacks in reach of anyone
Since Microsoft disclosed actively exploited Microsoft Exchange security vulnerabilities, known collectively as ProxyLogon, administrators and security researchers have been scrambling to protect vulnerable servers exposed on the Internet.
The PoC provided enough information that security researchers and threat actors could use it to develop a functional remote code execution exploit for Microsoft Exchange servers.
This weekend, a different security researcher published a new ProxyLogon PoC that requires very little modification to exploit a vulnerable Microsoft Exchange server and drop a web shell on it.
"It's within the reach of"script kiddie" now," warned Dormann in our discussion about the PoC. As you can see from the image below, Dormann used the exploit against a Microsoft Exchange server and remotely installed a web shell, and executed the 'whoami' command.
Didier Stevens, a senior analyst at NVISO and SANS ISC senior handler, also tested the exploit against a Microsoft Exchange virtual machine but did not have as much luck with the PoC. In a conversation with BleepingComputer, Stevens said that he tested the new PoC against an unpatched Exchange 2016 with no cumulative updates.
Stevens said that new information in the PoC released this weekend enabled him to get Jang's PoC working to achieve successful remote code execution against his Microsoft Exchange server.
News URL
Related news
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Microsoft Exchange adds warning to emails abusing spoofing flaw (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- Microsoft pulls Exchange security updates over mail delivery issues (source)
- Microsoft 365 outage impacts Exchange Online, Teams, Sharepoint (source)
- Microsoft re-releases Exchange updates after fixing mail delivery (source)
- Microsoft Fixes AI, Cloud, and ERP Security Flaws; One Exploited in Active Attacks (source)
- Phishing-as-a-Service "Rockstar 2FA" Targets Microsoft 365 Users with AiTM Attacks (source)
- Microsoft enforces defenses preventing NTLM relay attacks (source)
- Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks (source)