Researchers’ bid to reproduce ProxyShell yields something entirely new
“Since it was just another XSS, an attacker could have manipulated the DOM and could have used it to read/send emails, phish, perform state-changing actions in the application, etc,” Maini told The Daily Swig.
The medium severity spoofing bug (CVSS score 6.5) has a low attack complexity, according to Microsoft, which published a security advisory on November 9 indicating that there was no evidence, as yet, of in-the-wild exploitation.
Maini said the exploit would work on almost every unpatched Outlook Web App, on-premise instance.
Microsoft has issued five software updates applicable for Exchange Server 2013, 2016, and 2019 that address the vulnerability.
Discovery, proof of concept
Maini and Jaiswal unearthed the flaw when they were trying to reproduce Orange Tsai’s ProxyShell attack against the same platform, which required sending a crafted XML on the /autodiscover/autodiscover.json endpoint.
“While converting the body encoding of the request in Burp Suite we sent a request with the wrong Content-Type of application/x-www-form-urlencoded and we saw this in the response with Content-Type set to text/html,” said Maini.
“There was this weird behavior where after entering a few characters, it would compress the payload and add "..." to the end, but just by adding ;x=" to it, the application will automatically close the quote, and also character limitation is then not an issue anymore,” said Maini.
YOU MIGHT ALSO LIKE Palo Alto GlobalProtect users urged to patch against critical vulnerability