Exploiting Exchange PowerShell... Note

Exploiting Exchange PowerShell After ProxyNotShell: Part 2 - ApprovedApplicationCollection

In Exchange Server, CVE-2023-36756 allows authenticated attackers to execute code remotely by deserializing a malicious ApprovedApplicationCollection object.The ApprovedApplicationCollection constructor allows an attacker to specify a UNC path to a CAB file, which is then extracted using the extrac32.exe utility.Extrac32.exe contains an unpatched path traversal vulnerability (ZDI-CAN-21499) that allows attackers to extract files to arbitrary locations.By combining these vulnerabilities, attackers can extract a malicious CAB file containing an ASPX web shell to a specific location on the Exchange server.Microsoft has declined to fix the path traversal vulnerability in extrac32.exe, stating that it is the caller's responsibility to ensure its safe use.The payload consists of a CAB file with a web shell named ../../../../../../../../inetpub/wwwroot/poc.aspx.The attack requires hosting the CAB file on an SMB share within the domain.By exploiting the vulnerabilities, attackers can gain access to the web shell and execute code remotely.A demo is available to showcase the entire exploitation process.The next blog post in the series will cover CVE-2023-36745, a complex RCE vulnerability that required an elaborate chain of exploits.