Microsoft Exchange ProxyToken bug can let hackers steal user email

Bleeping Computer -

Technical details have emerged on a serious vulnerability in Microsoft Exchange Server dubbed ProxyToken that does not require authentication to access emails from a target account.

An attacker can exploit the vulnerability by crafting a request to web services within the Exchange Control Panel (ECP) application and steal messages from a victim’s inbox.

Delegation confusion

Tracked as CVE-2021-33766, ProxyToken gives unauthenticated attackers access to the configuration options of user mailboxes, where they can define an email forwarding rule.

As a result, email messages intended for a target user can also be delivered to an account that the attacker controls.

The bug was discovered by Le Xuan Tuyen, a researcher at the Information Security Center of Vietnam Posts and Telecommunications Group (VNPT-ISC) and reported through the Zero-Day Initiative (ZDI) program in March.

He found that Microsoft Exchange’s frontend site (Outlook Web Access, Exchange Control Panel) functions largely as a proxy for the backend site (Exchange Back End), to which it passes authentication requests.

In Microsoft Exchange deployments where the “Delegated Authentication” feature is active, the frontend forwards the requests that need authentication to the backend, which identifies them by the presence of a ‘SecurityToken’ cookie.

The post Microsoft Exchange ProxyToken bug can let hackers steal user email first appeared first on Bleeping Computer.

Read More.....