OWASSRF- Microsoft Exchange Vulnerability Threat Brief

Executive Summary

OWASSRF is a server-side request forgery vulnerability in Exchange Web Server, the OWASSRF exploit method involves two different vulnerabilities tracked by CVE-2022-41080 and CVE-2022-41082 that allow attackers to perform remote code execution (RCE) via Outlook Web Access (OWA). The CVE-2022-41082 vulnerability was previously used by the ProxyNotShell exploit, however the new OWASSRF exploit method bypasses mitigations previously provided by Microsoft for ProxyNotShell.

OWASSRF exploit is publicly available, causing mass exploitation against corporate networks. According to some articles, Ransomware groups like Play and Cuba are abusing OWASSRF vulnerability in the wild.

Details of OWASSRF

On Dec. 20, 2022, CrowdStrike published a blog for a new exploit method against Microsoft Exchange Servers, which they named as OWASSRF. Both ProxyNotShell and OWASSRF use a server side request forgery (SSRF) vulnerability but, the ProxyNotShell method used an AutoDiscover endpoint to exploit CVE-2022-41040, while OWASSRF uses the OWA frontend endpoint to exploit CVE-2022-41080. The newly found exploit method OWASSRF requires the threat actors to be authenticated to the server prior to the exploitation step.

According to a tweet by @Purp1eW0lf on Dec. 14, 2022, threat actors started to exploiting the OWASSRF vulnerability and left an open directory on their web server that contains several of their exploitation tools, including the Python script that contains code to exploit OWASSRF vulnerability.

Figure 1 – readme.txt that contains usage for the exploit code that exploits OWASSRF.

Threat Actors exploitation tools : 

Figure 2 – Python script that contains code to exploit OWASSRF vulnerability.

After successfully authenticating to the Exchange Server, the exploit code will issue POST requests to /owa/mastermailbox%40outlook.com/powershell , the POST request also includes a header X-OWA-ExplicitLogonUser that has a value of owa/mastermailbox@outlook[.]com that cause of the server side request forgery tracked in CVE-2022-41080, that the email address does not necessarily have to be mastermailbox@outlook[.]com, as any email address would suffice. After exploitation, the exploit code will run supplied PowerShell in the form of a base64-encoded string

Figure 3 – Python script sending request to the victim Exchange Server.

After initial access via this new exploit method (reverse shell from Powershell), the threat actor leveraged legitimate Plink and AnyDesk executables to maintain access, and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to hide their activity.

OWASSRF vulnerability commonly use the PowerShell reverse shell payload named SilverArrow for post-exploitation as seen in Figure 4 : 

Figure 4 – SilverArrow Payload making connection to 

Detection Rules

Below Sigma rule can locate any PowerShell process running as a child process of the IIS web server process (w3wp.exe), regardless of the PowerShell command line. 

title: PowerShell Spawned from Web Servicelogsource: category: process_creation product: windowsdetection: selection: – Image|endswith: ‘\powershell.exe’ – ParentImage|endswith: ‘\w3wp.exe’condition: selection

Conclusion and Recommendations

On Tuesday, Cybersecurity and Infrastructure Security Agency (CISA) also ordered Federal Civilian Executive Branch Agencies (FCEB) agencies to patch their systems against this bug by January 31st and strongly urged all organizations to secure their Exchange servers to thwart exploitation attempts.

Organizations with on-premises Microsoft Exchange servers on their networks should deploy the latest Exchange security updates immediately (with November 2022 as the minimum patch level) or disable Outlook Web Access (OWA) until they can apply CVE-2022-41080 patches and deploy advanced endpoint detection and response (EDR) tools to all endpoints to detect web services spawning PowerShell or command line processes.

According to Microsoft, the Play ransomware gang has abused this security flaw since late November 2022. The company advises customers to prioritize CVE-2022-41080 patching to block potential attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *