More Exchange Vulnerabilities and a Confluence Rce

| By:
Bryson Medlock

We warned you earlier this year that there were more Exchange vulnerabilities on the horizon and Microsoft hasn’t fail to deliver. Details of another serious vulnerability in Microsoft Exchange were released earlier this week. Le Xuan Tuyn, a researcher at the Information Security Center of Vietnam Posts and Telecommunication Group (VNPT-ISC), discovered and reported CVE-2021-33766, commonly referred to as ProxyToken, in March of this year through the Zero-Day Initiative (ZDI).

This vulnerability, like ProxyLogon, ProxyOracle, and ProxyShell is found in the way traffic is proxied between Microsoft’s front-end Internet Information Services (IIS) and the backed services. There is a feature in Exchange known as “Delegated Authentication” which allows IIS on the front-end to pass authentication requests to the backend so it can support cross-forest topologies. This is a special configuration and not a feature used by default. When IIS receives a request that contains “/ecp”, which is part of the URL for the Exchange Control Panel (ECP), with a “SecurityToken” cookie, it assumes Delegated Authentication is enabled and rather than authenticating the user, delegates authentication to the backend. However, if Delegated Authentication is not enabled (again, not the default configuration), then ECP ignores the “SecurityToken” cookie and assumes the front-end took care of authentication. There is one extra step needed. ECP will block requests that do not include a ticket known as “ECP canary”. However, this ticket can be obtained by sending a malformed request that triggers and HTTP 500 error. The HTTP 500 error ECP produces includes the ticket in the response. Once an attacker is able to gain access to ECP, they can setup e-mail forwarding rules and start getting copies of all your email.

The good news is Microsoft has already patched for this vulnerability in July 2021, so if your servers are all up to date then you should be safe though there is some evidence of threat actors using this vulnerability for the past several weeks. It’s also worth noting that you cannot simply apply the July updates to fix this and other Exchange proxy vulnerabilities. You must also extend the schema using the June 2021 cumulative updates. We have seen individuals apply the July updates and were still later compromised.

The ConnectWise CRU has added the following signature to the Perch platform to detect any attempts to exploit ProxyToken:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Potential MS Exchange ProxyToken Exploit (CVE-2021-33766)"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/ecp/"; content:"/RulesEditor/InboxRules.svc/NewObject"; distance:0; http.cookie; content:"SecurityToken="; tag:session,5,packets; reference:url,; classtype:web-application-attack;

sid:; rev:1; metadata: created_at 2021-08-30, updated_at 2021-08-30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application, cve CVE_2021_33766;)

Confluence RCE Vulnerability

Last week a critical vulnerability with a CVSS score of 9.8 was reported in Atlassians’s Confluence Server, a corporate wiki solution used by organizations around the world and especially common in organizations in the tech industry. This vulnerability would allow an authenticated user, and in the right circumstances an unauthenticated user, to execute arbitrary code on a Confluence Server. CVE-2021-26084 is an Object-Graph Navigation Language (OGNL) injection vulnerability. OGNL is an open-source expression language for Java that Confluence uses for templates that generate the HTML your web browser interprets.

A malicious actor can craft an HTTP POST request to “doenterpagvariables.action” with a Unicode encoded payload in the “queryString” variable that will cause the server to execute the payload.

The vulnerability was reported via Atlassian’s public bug bounty program and a patch has already been released. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5. The official advisory from Atlassian was released on August 25, 2021. Patches and more details can be accessed at the official advisory at

The vulnerability is fairly trivial to exploit, and a proof-of-concept (PoC) has already been released on Exploit DB making it even easier. This has led mass scans for vulnerable Confluence servers with both attackers and researchers probing for vulnerable systems. According to Atlassian, Confluence is used by more than 60,000 customers. Given the widespread use of Confluence, the ease of exploitation, and the severity of the vulnerability we strongly recommend patching your systems as soon as possible. Meanwhile, we have deployed signatures by Emerging Threats to our IDS customers that should detect exploit attempts.