Researcher named Le Xuan Tuyen of VNPT ISC has identified and reported a new vulnerability named “ProxyToken” to ZeroDay Initiative in March 2021. Luckily, the Microsoft has released a patch for this vulnerability which is identified with the CVE-2021-33766 in July 2021.
“With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users. As an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker.” reads the zero day initiative blogpost.
To trigger this vulnerability ,all an attacker needs to do is issue the request as below :
and an example final request should look like this :
“when the front end sees the
SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request. Meanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the
SecurityToken cookie, since the
DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature. The net result is that requests can sail through, without being subjected to authentication on either the front or back end.” reads the blogpost.
This new disclosure is added to list vulnerabilities on top of exchange server apart from the vulnerabilities like ProxyLogon, ProxyOracle, and ProxyShell which are constantly being targeted by the attackers for the exploitation and installation of ransomwares like LockFile