Researchers’ bid to reproduce ProxyShell yields something entirely new

Microsoft fixes reflected XSS in Exchange Server

Microsoft has patched a reflected cross-site scripting (XSS) vulnerability in Exchange Server.

Tracked as CVE-2021-41349, the flaw was unearthed by security researcher Rahul Maini and Harsh Jaiswal, application security engineers at Vimeo.

“Since it was just another XSS, an attacker could have manipulated the DOM and could have used it to read/send emails, phish, perform state-changing actions in the application, etc,” Maini told The Daily Swig.

Catch up with the latest enterprise security news

The medium severity spoofing bug (CVSS score 6.5) has a low attack complexity, according to Microsoft, which published a security advisory on November 9 indicating that there was no evidence, as yet, of in-the-wild exploitation.

Maini said the exploit would work on almost every unpatched Outlook Web App, on-premise instance.

Microsoft has issued five software updates applicable for Exchange Server 2013, 2016, and 2019 that address the vulnerability.

Discovery, proof of concept

Maini and Jaiswal unearthed the flaw when they were trying to reproduce Orange Tsai’s ProxyShell attack against the same platform, which required sending a crafted XML on the /autodiscover/autodiscover.json endpoint.

READ MORE ‘A whole new attack surface’ – Researcher Orange Tsai documents ProxyLogon exploits against Microsoft Exchange Server

“While converting the body encoding of the request in Burp Suite we sent a request with the wrong Content-Type of application/x-www-form-urlencoded and we saw this in the response with Content-Type set to text/html,” said Maini.

“A potentially dangerous Request.Form value was detected from the client ( ="<?xml"), and from there we were able to come up with a PoC [proof-of-concept] that would submit a form and execute JavaScript.”

“There was this weird behavior where after entering a few characters, it would compress the payload and add "..." to the end, but just by adding ;x=" to it, the application will automatically close the quote, and also character limitation is then not an issue anymore,” said Maini.

YOU MIGHT ALSO LIKE Palo Alto GlobalProtect users urged to patch against critical vulnerability