8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
This week’s Metasploit release includes an exploit module for CVE-2022-41082
, AKA ProxyNotShell by DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q, Orange Tsai, Piotr Bazydło, Rich Warren, Soroush Dalili, and our very own Spencer McIntyre. The vulnerability CVE-2022-41082
, AKA ProxyNotShell is a deserialization flaw in Microsoft Exchange’s PSRP backend. Microsoft Exchange Server 2019, Exchange Server 2016 and Exchange Server 2013 are vulnerable to a server-side request forgery (SSRF) attack and remote code execution. An authenticated attacker can use the combination of these two vulnerabilities to elevate privileges and execute arbitrary code on the target Exchange server. For more information, see CVE-2022-41082 and CONTROL YOUR TYPES OR GET PWNED. The ProxyNotShell exploit also added new Exchange SSRF functionality that allows both it and the previous ProxyShell module to target Exchange server instances which utilize a Data Access Group (DAG) backend. The Metasploit team has yet to see another public Proof of Concept that takes this configuration type into account.
Community contributors h00die and H4rk3nz0 also introduced another exploit module in this week’s release. This module targets the remote control software which allows a remote person to connect and execute screen commands via mobile devices. Note that this module will only deploy a payload if the server is set without a password (default). A side note, if you’re looking to learn more about how you can use metasploit to hack target servers using remote code vulnerabilities, you might find this video (<https://www.youtube.com/watch?v=eLbBR956Tgw>) helpful.
CVE-2022-41082
, AKA ProxyNotShell. This vulnerability is a deserialization flaw in Microsoft Exchange’s PSRP backend. The PSRP backend can be accessed by an authenticated attacker leveraging the SSRF flaw identified as GHSA-6ph7-8wxv-6gf2
. Together, these vulnerabilities allow an authenticated attacker to execute arbitrary commands on a Microsoft Exchange Server.auxiliary/scanner/http/tomcat_mgr_login.rb
error message on 401 status codes to include the user defined URI.polkit_dbus_auth_bypass
module that prevented it from working with certain session types.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).