ProxyToken Exchange Server Vulnerability

Security researchers have disclosed details of an information disclosure vulnerability, called ProxyToken, affecting Microsoft's Exchange Server mail server. They claim that an unauthenticated attacker could exploit this vulnerability to edit configuration settings for any user on an affected Exchange Server instance.

ProxyToken appears to be the result of authentication failure between Exchange Server's front- and back-end. By default, Exchange creates two Internet Information Services (IIS) sites: a front-end that handles authentication for all clients and proxies their requests, and a back-end that handles all these requests and responds to the front-end.

In instances where Exchange Server uses Delegated Authentication, the front-end is unable to authenticate requests and instead hands them to the back-end to perform authentication.

If the Exchange Server back-end does not have DelegatedAuthModule loaded, then any request with the SecurityToken cookie will be processed without authentication. However, any request to the back-end requires an "ECP canary" ticket, without which it will return an internal server error (HTTP 500). Unfortunately, this error response includes a valid "ECP canary" which can then be reused for any future requests.

By specially crafting requests, an attacker is able to bypass authentication and access a vulnerable Exchange Server, at which point they are able to access all connected clients' incoming mail and create auto-forwarding rules. If the Exchange Server instance permits arbitrary destinations, then mail can be forwarded to any Internet location.