“A whole new attack surface” – researcher Orange Tsai documents ProxyLogon exploits against Microsoft Exchange Server


Adam Bannister August 06, 2021 at 15:48 UTC

Updated: August 06, 2021 at 17:17 UTC

“Possibly the most serious vulnerability in the history of Microsoft Exchange”

Hacking maestro Orange Tsai announced highly anticipated technical details on its Microsoft Exchange exploits at Black Hat USA 2021.

A bug in the pre-authenticated remote code execution (RCE) discovered by Tsai in January “could be the most serious vulnerability in the history of Microsoft Exchange,” said the security researcher to the participants in a remote address.

The bug was patched in March and was one of a quartet of zero-day bugs that were exploited to hack hundreds of thousands of enterprise messaging servers around the world.

After digging deeper into the bug, Tsai realized that “ProxyLogon is not just a single bug, it’s a ‘brand new target’ that helps researchers uncover new vulnerabilities.”

CONNECTED Feds zap Exchange Server backdoors as Microsoft offers patches for further errors

Tsai, senior security researcher at Devcore, discovered eight vulnerabilities in this fledgling terrain, including server-side, client-side, and cryptographic flaws. Their effectiveness was reinforced when he grouped them into Pre-Auth RCE chains known as ProxyLogon and ProxyShell, along with ProxyOracle, a combination used to recover clear text passwords.

Successful exploitation could lead to an attacker looking at clear text passwords and executing arbitrary code on Microsoft Exchange Server instances via port 443.

Tsai attributes the discovery of such devastating exploits to the fact that he analyzed the target application from a high-level architectural perspective rather than looking for specific errors such as logic errors or code injections.

“We hope this will set a new paradigm for vulnerability research and inspire more security researchers to study Exchange Server,” he said.

main goal

Microsoft Exchange Server has long been a target for nation-state hackers because corporate email servers store the confidential secrets of blue-chip organizations and government agencies, and Microsoft Exchange dominates the market.

Despite their criticality, Tsai found that 400,000 Exchange servers were connected to the Internet and were therefore vulnerable to attacks.

Read more about the latest news from Black Hat USA

His research focused on a major change made to Client Access Services (CAS) in 2013, dividing Exchange’s basic protocol handler into front-end and back-end components.

This fundamental architectural change created significant design debt and created inconsistencies between contexts, Tsai said.


To protect against attack, Tsai advised Microsoft Exchange users to keep their systems up to date and make sure they are not connected to the Internet.

Improvements to the CAS front end implemented by Microsoft in April 2021 would have weakened the authentication part of the attack surface and nullified pre-authentication attacks.

Because “modern problems require modern solutions”, Tsai advised the infosec professionals in his concluding remarks “to try to find architectures from [a] higher point of view “.

And despite the patches and weakenings introduced by Microsoft, CAS remains a promising target for attack – even if the results are not as strong as those with ProxyLogon without pre-auth bugs.

RECOMMENDED Black Hat USA: HTTP / 2 bugs open businesses to a new wave of requests-smuggling attacks

Microsoft Exchange remains “a buried treasure with more flaws” lying in wait, Tsai believes.

However, he warned, “Even if you found a super critical bug like ProxyLogon, [Microsoft] will not reward you with a reward as the local Exchange server is out of scope. “

The research has undoubtedly further enhanced Tsai’s already stellar reputation. The researcher recently triumphed at the Pwnie Awards 2021 for best server-side bug, topped PortSwigger’s list of Best Web Hacking Techniques in 2017 and 2018, and was named Master of Pwn 2021 at this year’s Pwn2Own.

In a related development, the FBI had already given government agencies the opportunity in April to remove web shells implanted in Microsoft Exchange installations over two different zero days, which were credited to the National Security Agency and which have since been patched.

The unusual legal process was necessary because the removal of web shells constituted an intervention in a third-party computer and could otherwise have been considered illegal.

YOU MIGHT LIKE IT TOO Writer’s block? Tools that simplify the reporting process allow security researchers to focus on the fun part.


About Author

Leave A Reply