‘Possibly the most severe vulnerability in the history of Microsoft Exchange’

'A whole new attack surface' - Researcher Orange Tsai documents ProxyLogon exploits against Microsoft Exchange Server

Hacking maestro Orange Tsai has disclosed much-anticipated technical details related to his Microsoft Exchange exploits at Black Hat USA 2021.

A pre-authenticated remote code execution (RCE) flaw that Tsai unearthed in January “might be the most severe vulnerability in the history of Microsoft Exchange,” the security researcher told attendees in a remote address.

Patched in March, the flaw was among a quartet of zero-day flaws whose exploitation saw hundreds of thousands of enterprise messaging servers hacked worldwide.

After digging deeper into the bug, Tsai realized that “ProxyLogon is not just a single bug, but a ‘whole new attack surface’ to help researchers uncover new vulnerabilities”.

RELATED Feds zap Exchange Server backdoors as Microsoft offers patches for further flaws

Tsai, principal security researcher at Devcore, discovered eight vulnerabilities from this virgin terrain, comprising server-side, client-side and cryptographic bugs. Their potency was amplified when he corralled them into pre-auth RCE chains known as ProxyLogon and ProxyShell, along with ProxyOracle, a plaintext password recovery combo.

Successful exploitation could result in an attacker viewing plaintext passwords and executing arbitrary code on Microsoft Exchange Server instances via port 443.

Tsai attributes the discovery of such devastating exploits to the fact that, rather than probing for particular flaws, such as logic bugs or code injections, he analyzed the target application from a high-level architectural perspective.

“We hope this brings a new paradigm to vulnerability research and inspires more security researchers to look into Exchange Server,” he said.

Prime target

Microsoft Exchange Server is a long-time target of nation-state hackers because corporate mail servers store the confidential secrets of blue chip organizations and government agencies and Microsoft Exchange dominates the market.

Despite their criticality, Tsai said he discovered that 400,000 Exchange servers were internet-facing and therefore vulnerable to attack.

Read more of the latest news from Black Hat USA

His research centered on a major change implemented in 2013 on Client Access services (CAS), whereby Exchange’s fundamental protocol handler was divided into frontend and backend components.

This fundamental architectural change incurred a considerable level of design debt and introduced inconsistencies between contexts, said Tsai.


In order to guard against attack, Tsai advised Microsoft Exchange users to keep their systems up to date and ensure they are not internet-facing.

Enhancements to the CAS frontend implemented by Microsoft in April 2021, he added, mitigated the authentication part of attack surface and nullified pre-auth attacks.

Because “modern problems require modern solutions”, Tsai advised infosec professionals in his concluding remarks to “try to comprehend architectures from [a] higher point of view”.

And despite the patches and mitigations introduced by Microsoft, CAS remains an attack surface with rich promise – albeit without pre-auth bugs the results will be less powerful than those achieved with ProxyLogon.

RECOMMENDED Black Hat USA: HTTP/2 flaws expose organizations to fresh wave of request smuggling attacks

Microsoft Exchange remains “a buried treasure with more bugs” lying in wait, Tsai believes.

However, he warned: “Even if you found a super critical bug like ProxyLogon, [Microsoft] will not reward you any bounty because Exchange server on-prem is out of scope.”

The research has undoubtedly further burnished Tsai’s already stellar reputation. The researcher recently triumphed at the 2021 Pwnie Awards for best server-side bug, topped PortSwigger’s Top Web Hacking Techniques list in 2017 and 2018, and became Master of Pwn 2021 at this year’s Pwn2Own.

In a related development back in April, the FBI granted government authorities the ability to remove web shells implanted in Microsoft Exchange installations via a pair of different zero days, credited to the National Security Agency, that had since been patched.

The unusual court action was necessary since removing web shells constituted interference with a third-party computer and could therefore have otherwise been deemed unlawful.

YOU MIGHT ALSO LIKE Writers’ block? Tools that simplify the report-writing process allow security researchers to ‘focus on the fun part’