'ProxyToken' bug allowed attackers to reconfigure Exchange mailboxes

By

Unauthenticated requests "can sail through."

Researchers have published technical details on a low-complexity attack against Microsoft's Exchange Server, which exploits a vulnerability that allows unauthenticated threat actors to - for example - copy all emails sent to a particular user's mailbox, and forward them to another account.

'ProxyToken' bug allowed attackers to reconfigure Exchange mailboxes

The flaw, dubbed ProxyToken, was found by Le Xuan Tuyen, at the Vietnam Post and Telecommunications Group's Information Security Centre.

Exchange Server sets up two Internet Information Server instances, with one proxying for the internally facing back end.

A flaw in the Exchange Server default configuration meant the front end IIS instance passed on incoming requests to the back end, where delegated authentication was expected to take place, but didn't.

"The net result is that requests can sail through, without being subjected to authentication on either the front or back end," Trend Micro's Zero Day Initiative wrote.

Attackers could use the ProxyToken authentication bug to forward a user's messages, and make other configuration changes to mailboxes.

ZDI expects further Exchange bugs to see the light. 

"Exchange Server continues to be an amazingly fertile area for vulnerability research," the security researchers said.

Earlier this year, Huntress Lab said it was tracking an exploited vulnerability chain, ProxyShell, which could be used to run arbitrary commands on Microsoft Exchange Servers without authentication, to install malware such as webshells.

Microsoft has acknowledged the bug, which affects Exchange Server 2013, 2016 and 2019, and issued patches for the vulnerability in July this year.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

NSW Police to embark on $126m IT overhaul

NSW Police to embark on $126m IT overhaul

CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls

WestJet probes cyber security incident

WestJet probes cyber security incident

Log In

  |  Forgot your password?