Microsoft Exchange Powershell Remoting Deserialization leading to RCE (CVE-2023-21707)
Introduction While analyzing CVE-2022-41082, also known as ProxyNotShell, we discovered this vulnerability which we have detailed in this blog. However, for a comprehensive understanding, we highly recommend reading the thorough analysis written by team ZDI. To aid in understanding, we present a visual representation of CVE-2022-41082 below. The sink of ProxyNotShell: //System.Management.Automation.InternalDeserializer.ReadOneObject() internal object ReadOneObject(out string streamName) { //... Type targetTypeForDeserialization = psobject.GetTargetTypeForDeserialization(this._typeTable); //[1] if (null != targetTypeForDeserialization) { Exception ex = null; try { object obj2 = LanguagePrimitives....