What Are The “Good” Hackers Up To?

The Zero Day Initiative has a blog post to discuss the Top 5 Bugs submitted in 2021.

In essence the good hackers try to find bugs or problems in software which would allow an attacker to perform functions that should not be done.

An example from the Pwn2Own 2021 blog post:

Hi, I am Orange Tsai from DEVCORE Research Team. In this article, I will introduce the exploit chain we demonstrated at the Pwn2Own 2021. It’s a pre-auth RCE on Microsoft Exchange Server and we named it ProxyShell! This article will provide additional details of the vulnerabilities. Regarding the architecture, and the new attack surface we uncovered,it is in the BlackHat/DEFCON talks and technical analysis on our blog.

Most important paragraphs from Orange’s  blog:

 

While looking into ProxyLogon from the architectural level, we found it is not just a vulnerability, but an attack surface that is totally new and no one has ever mentioned before. This attack surface could lead the hackers or security researchers to more vulnerabilities. Therefore, we decided to focus on this attack surface and eventually found at least 8 vulnerabilities. These vulnerabilities cover from server side, client side, and even crypto bugs. We chained these vulnerabilities into 3 attacks:

  1. ProxyLogon: The most well-known and impactful Exchange exploit chain
  2. ProxyOracle: The attack which could recover any password in plaintext format of Exchange users
  3. ProxyShell: The exploit chain we demonstrated at Pwn2Own 2021 to take over Exchange and earn $200,000 bounty

 

What does it really mean when a researcher finds a ProxyLogon bug?

 

Let’s back up and discuss Exchange server – it is a mail system software, which means it can accept email from other servers on the internet. As noted in their slide deck from BlackHat:

as you see the focus is on Mailbox Service and Client Access Service (two pieces within the Exchange Server software. You can see that this is not a simple software with only a little visible piece. In fact there are a lot of sections of Exchange server that people would never see.  When you are on your corporate computer connecting to Exchange server the “Client Access Service” is what makes sure you receive new emails.

Here is a blow up of this transaction:

After laying out the architecture some more in their slide deck, the researcher muses: “What if we “Could Access the Backend Intentionally?”

Then they proceed to to access the Backend using th IHttpHandler and Proxy Section of the client-Server interaction (between the client computer and exchange server software).

The researcher goes into the excruciating details for the BlackHat talks which reveals how it is actually done. Since this blog tries to not get bogged down into those details (after all one can download the slide deck or listen to the BlackHat talk if you want to do that).

The final result is :

  The most wellknown Exchange Server vulnerability in the world😩
An unauthenticated attacker can execute arbitrary codes on Microsoft Exchange
Server through an only exposed 443 port!

ProxyLogon is chained with 2 bugs:
CVE202126855 Preauth SSRF leads to Authentication Bypass
CVE202127065 Postauth ArbitraryFileWrite leads to RCE

 

When a security analyst (like me) sees this explanation – an unauthenticated attacker can execute arbitrary codes on  ABC software

This means that a hacker can perform an attack remotely without your knowledge. This is the worst type of vulnerability and must be patched immediately.

Fortunately this researcher performed a service to the world and contacted Microsoft first.

This bug was fixed and patched but not until many thousands of companies were hacked.

https://thehackernews.com/2021/08/hackers-actively-searching-for.html explains what happened in March 2021

The remote code execution flaws have been collectively dubbed “ProxyShell.” At least 30,000 machines are affected by the vulnerabilities, according to a Shodan scan performed by Jan Kopriva of SANS Internet Storm Center.

 

I have explained this tug of war between the researcher and hacker before and attempted to show it on this illustration:

Unfortunately even after a bug is patched by the vendor (in this case Microsoft patched the ProxyLogon Bug)   it takes time to patch systems and with this particular bug it was likely too late.

What can you do? Buy my book and get started in defending your computers.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.