CVE-2021-33766 Exchange ProxyToken Exploitation

 1title: CVE-2021-33766 Exchange ProxyToken Exploitation
 2id: 56973b50-3382-4b56-bdf5-f51a3183797a
 3status: test
 4description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766
 5references:
 6    - https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server
 7author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Christian Burkard (Nextron Systems)
 8date: 2021/08/30
 9modified: 2023/01/02
10tags:
11    - attack.initial_access
12    - attack.t1190
13    - cve.2021.33766
14    - detection.emerging_threats
15logsource:
16    category: webserver
17detection:
18    selection_1:
19        cs-method: 'POST'
20        cs-uri-query|contains|all:
21            - '/ecp/'
22            - '/RulesEditor/InboxRules.svc/NewObject'
23        sc-status: 500
24    selection_2:
25        cs-uri-query|contains|all:
26            - 'SecurityToken='
27            - '/ecp/'
28        sc-status: 500
29    condition: 1 of selection_*
30falsepositives:
31    - Unknown
32level: critical

References

• Zero Day Initiative — ProxyToken: An Authentication Bypass in Microsoft Exchange Server

  

  Continuing with the theme of serious vulnerabilities that have recently come to light in Microsoft Exchange Server, in this article we present a new vulnerability we call ProxyToken. It was reported to the Zero Day Initiative in March 2021 by researcher Le Xuan Tuyen of VNPT ISC, and it was patched

  
  Read More

Related rules

• CVE-2021-21972 VSphere Exploitation
• CVE-2021-21978 Exploitation Attempt
• CVE-2023-46747 Exploitation Activity - Proxy
• CVE-2023-46747 Exploitation Activity - Webserver
• Confluence Exploitation CVE-2019-3398