Understanding the Exchange Server Attacks: Exploiting CVE-2022-41040 and CVE-2022-41082
In recent months, we have seen a surge in attacks targeting Exchange Servers. These attacks have been made possible by exploiting the CVE-2022-41040 and CVE-2022-41082. This post will delve into the details of these vulnerabilities and how attackers exploit them to gain access to Exchange Servers.
The first step in this attack is exploiting CVE-2022-41040 to gain access to the PowerShell API endpoint of the Exchange Server. This vulnerability arises from insufficient filtering of input data in the Exchange Autodiscover mechanism. Using a known login and password combination for a registered account, an attacker can gain access to the privileged endpoint of the Exchange Server API (https://%exchange server domain%/powershell). This allows the attacker to execute PowerShell commands in the Exchange environment on the server machine, passing them in the payload via the XML SOAP protocol.
Gaining access to Web-Based Enterprise Management (WBEM) via WSMAN Protocol:
The attacker's next step is gaining access to Web-Based Enterprise Management (WBEM) via the WSMAN Protocol. The attacker initiates a shell on the vulnerable system for further PowerShell script execution via Windows Remote Management (PsRemoting).
Extending the lifetime of the shell:
The attacker needs to extend the lifetime of the shell, as it will otherwise be closed by default due to its expiration time being too short. To do this, the attacker sends a special request via WSMAN that enables the keep-alive option.
The attacker then exploits a second vulnerability, CVE-2022-41082, by using PowerShell Remoting to send a request to create an address book. This request includes encoded and serialized data with a unique payload as a parameter. In a published proof of concept (POC), this encoded data contains a gadget called System.UnitySerializationHolder, which spawns an object of the System.Windows.Markup.XamlReader class. This class processes XAML data from the payload, creating a new system object. Diagnostics class and containing a method call to open a new process on the target system. In the PoC, this process is calc.exe.
In conclusion, the exploitation of vulnerabilities CVE-2022-41040 and CVE-2022-41082 has allowed attackers to gain access to Exchange Servers and execute malicious code. Organizations must ensure that their Exchange Servers are updated and patched to prevent these attacks.
We are here to help!
Are you looking for ongoing advisory services to assist in identifying vulnerabilities and security policies that should be in place and help improve your security posture? The team at Inception Security™ has been leveraged to enhance the security posture of fortune 100 companies and small and medium-sized businesses. Our team has a depth of knowledge in the cybersecurity industry and can provide value to your business immediately.
Contact Inception Security if your company is looking for advisory services.