The 2021 Pwnie Winner For Best Server-Side Bug

Microsoft Exchange Server (CVE-2021-26855, CVE-2021-27065, and others TBD)

Researcher Names: Orange Tsai


Microsoft Exchange Server was in vogue this spring, sporting not only critical vulnerabilities, such as ProxyLogon but also a whole new attack surface.

The new attack surface is based on a significant change in Exchange Server 2013, where the fundamental protocol handler, Client Access Service (CAS), splits into the frontend and backend. In this fundamental change of architecture, quite an amount of design debt was incurred, and, even worse, it introduced inconsistencies between contexts.

To showcase the beauty of this attack surface and the novel exploitation method, 7 vulnerabilities were released that consist of server-side bugs, client-side bugs, and crypto bugs. These attack vectors enable any unauthenticated attacker to uncover plaintext passwords and even execute arbitrary code on Microsoft Exchange Servers through port 443, which is exposed to the Internet by ~400K Exchange Servers.