Executive Summary

ProxyLogon is a chain of vulnerabilities in Microsoft Exchange Server that allows unauthenticated attackers to execute arbitrary code as SYSTEM. The attack chain combines an SSRF vulnerability (CVE-2021-26855) with additional bugs to achieve remote code execution.

Technical Analysis

The vulnerability chain consists of:
1. CVE-2021-26855: SSRF via Exchange Server
2. CVE-2021-26857: Insecure deserialization
3. CVE-2021-26858: Post-auth file write
4. CVE-2021-27065: Post-auth file write

SSRF Exploitation

POST /owa/auth/test.aspx HTTP/1.1
Host: exchange.victim.com
Cookie: X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3

Content-Type: application/x-www-form-urlencoded
Content-Length: 120

<ValidCookie>

Webshell Deployment

Attack Chain Details

Impact Assessment

  • Mass Compromise: Over 250,000 Exchange servers compromised
  • APT Activity: Multiple nation-state actors exploiting
  • Ransomware: DearCry ransomware deployed via ProxyLogon
  • Data Theft: Complete email database access

Detection Methods

# Check for webshells
Get-ChildItem -Path "C:\inetpub\wwwroot\aspnet_client" -Recurse -Filter "*.aspx" | 
    Select-String -Pattern "eval|base64|cmd.exe"

# Review Exchange logs
Import-Csv -Path "C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Owa\*.log" |
    Where-Object {$_.ClientIpAddress -notlike "10.*"}

Mitigation Strategies

Emergency Response

  1. Apply Patches Immediately:
  2. Exchange 2019: KB5000871
  3. Exchange 2016: KB5000871

  4. Exchange 2013: KB5000871

  5. Check for Compromise:

# Microsoft's official detection script
Test-ProxyLogon.ps1 -OutPath C:\temp\ProxyLogonResults
  1. URL Rewrite Rules (temporary):
<rule name="ProxyLogon" stopProcessing="true">
    <match url=".*" />
    <conditions>
        <add input="{HTTP_COOKIE}" pattern=".*X-AnonResource=true.*" />
    </conditions>
    <action type="CustomResponse" statusCode="403" />
</rule>

References