Exploiting Exchange PowerShell... Note

Exploiting Exchange PowerShell After ProxyNotShell: Part 1 - MultiValuedProperty

The article discusses the author's talk at OffensiveCon 2024, focusing on the MultiValuedProperty class and its role in exploiting Microsoft Exchange PowerShell Remoting. The author explains how MultiValuedProperty can be abused to call the Parse method, leading to XAML deserialization and potential remote code execution. The author also presents a bypass for Microsoft's first patch for this vulnerability by chaining MultiValuedProperty with the Command class. This bypass allows an attacker to execute arbitrary commands on the Exchange server. The article emphasizes the importance of carefully reviewing allow lists and verifying class inheritance to prevent such vulnerabilities.