Project Hyphae

OWASSRF, NotProxyNotShell

Share This Post

Back on December 20th, 2022, CrowdStrike published a blog about a new exploit of Exchange servers via OWA utilizing CVE-2022-41080 and CVE-2022-41082.

Previously, CVE-2022-41082 was part two of the ProxyNotShell exploit for remote code execution(RCE) after initially exploiting the vulnerability CVE-2022-41040. Microsoft released a blog on September 29th, 2022, providing mitigation steps for CVE-2022-41040, as well as a patches to resolve both vulnerabilities on November 8th 2022.

If an exchange server has been patched with the November 8th 2022 security patches (KB5019758) for CVE-2022-41040 and CVE-2022-41082, it is not vulnerable to the new exploit.

The new exploit CrowdStrike has dubbed OWASSRF, and it uses CVE-2022-41080 initially, which bypasses the rewrite rule Microsoft provided as a mitigation of ProxyNotShell, allowing attackers access to then exploit CVE-2022-41082 for Remote Code Execution (RCE) the same way they could previously with the ProxyNotShell exploit.

Similar to ProxyNotShell, OWASSRF requires authentication to OWA\Exchange to be exploited. This is not usually a large hurdle for a devoted attacker, but it does mean exploitation in the wild has been more targeted and not nearly as wide spread as previously seen with the ProxyLogon and ProxyShell exploits from late 2021 mid 2022.

The biggest take away here, is install your patches, even if you believe you have other mitigations in place. Such mitigations are just about always provided as a stop-gap or temporary fix until a more robust solution can be deployed in an update or patch.

If you have a server which has the September 29th mitigations in place from Microsoft, and has not been patched with the November 8th updates (KB5019758), you’ll likely need to once again consider your Exchange server potentially compromised, get those updates installed, turn off OWA if for some reason you cannot install the updates, and then perform a threat hunt for any indicators of compromise.

CrowdStrike’s Blog:

More To Explore

Information Security News 1-23-2023

MailChimp Discloses New Breach After Employees Got Hacked Article Link: T-Mobile Suffers 8th Data Breach in Less Than 5 Years Article Link: Hackers

BianLian Ransomware Decryptor Made Public

BianLian, a Windows ransomware variant written in Go, the Google-created open source programming language, has been steadily increasing in popularity among threat actors since it

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.