Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-0688 PoC — Microsoft Exchange Server 授权问题漏洞

Source
https://github.com/cert-lv/CVE-2020-0688
Associated Vulnerability
Title:Microsoft Exchange Server 授权问题漏洞 (CVE-2020-0688)
Description:Microsoft Exchange Server是美国微软(Microsoft)公司的一套电子邮件服务程序。它提供邮件存取、储存、转发,语音邮件,邮件过滤筛选等功能。 Microsoft Exchange Server 中存在授权问题漏洞,该漏洞源于程序无法正确处理内存中的对象。攻击者可借助特制的电子邮件利用该漏洞在系统用户的上下文中运行任意代码。以下产品及版本受到影响:Microsoft Exchange Server 2010,Microsoft Exchange Server 2013,Micro
Description
Vulnerability scanner for CVE-2020-0688
Readme
# Identify Exchange Servers vulnerable to CVE-2020-0688

CVE-2020-0688 is a critical vulnerability in Microsoft Exchange due to use of static
keys. Although exploitation requires valid credentials (at an email user level) and
the risk of mass-exploitation is low, this vulnerability might be very useful in
targeted attacks as it leads to SYSTEM level RCE.

More information:

  - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
  - https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys
  - https://www.tenable.com/blog/cve-2020-0688-microsoft-exchange-server-static-key-flaw-could-lead-to-remote-code-execution

## Notes on false negatives

There are several sources of known false negatives (vulnerable Exchange servers that will
be missed by this script):

  1. Potential Exchange servers are prescreened by identifying hosts that have both
     port 25 and 443 open. If there are any setups that block one of these, they will
     get missed.

  2. zmap is optimized for speed and scalability at the expense of precision.
     Typically multiple consecutive runs of zmap provide slightly different results.
     As a result, **multiple runs of this script will show slightly different results**
     as well.

     Not sure whether this is caused purely by network congestion or by buggy code.
     Pull-request with patches/workarounds are certainly welcome!

  3. We're not trying to be sneaky here, so some firewalls might simply block us
     as a robot.

  4. Since we're not doing any fancy fingerprinting and only rely on the version
     that Exchange server reports itself, we are limited to first three fields in
     version number.

     For example, latest cumulative update for Exchange Server 2019 is 15.2.529.5
     which has been released in December and is vulnerable. The latest update
     that contains the patch is 15.2.529.8. Both of these self-report their version
     as 15.2.529, so the script will assume that the server is patched even if does
     not have the latest patch installed and is vulnerable.

     In practice though it seems that there are either Exchange admins that update their
     systems as soon as patches come out or those that live by "if it works, don't touch
     it" principle. There's no in between.

## Requirements

zmap, Python >= 3.5, modules:

  - dnspython
  - pyOpenSSL
  - requests

You can install them globally with:

```shell
$ sudo dnf install zmap python3-gevent python3-dns python3-pyOpenSSL
```

or:

```shell
$ sudo apt install zmap python3-gevent python3-dns python3-openssl
```

Python modules can be installed locally as well, through virtualenv:

```shell
$ virtualenv -p python3 CVE-2020-0688
$ . ./CVE-2020-0688/bin/activate
$ pip install -r ./requirements.txt
```

## Usage

For basic scanning all you need is a file with IPs/subnets (in CIDR format) to scan:

```shell
$ ./scan.py ~/my_networks.txt output.csv
```

Output will be written in a CSV format with following columns:

| IP | Exchange Version | Server Name | PTR | Common Name (from TLS cert) |
|----|------------------|-------------|-----|-----------------------------|

Optionally, you can ask to output info on all Exchange servers found:

```shell
$ ./scan.py -f ~/my_networks.txt output.csv
```

In which case there will be one more column to indicate whether server is vulnerable or not:

| IP | Exchange Version | Vulnerable? | Server Name | PTR | Common Name (from TLS cert) |
|----|------------------|-------------|-------------|-----|-----------------------------|

You can also provide a file with blacklisted IPs/subnets (option `-b`), change the number of
parallel tasks (`-p`) or length of the timeouts (`-t`):

```shell
$ # ./scan.py -h
usage: scan.py [-h] [-b BLACKLIST] [-f] [-p PARALLEL] [-t TIMEOUT]
               input output

Identify Exchange servers vulnerable to CVE-2020-0688.

positional arguments:
  input                 Input file, each line contains one IP/subnet
  output                File to save the results (in CSV format)

optional arguments:
  -h, --help            show this help message and exit
  -b BLACKLIST, --blacklist BLACKLIST
                        File containing IPs/subnets to avoid
  -f, --full            Don't filter seemingly up-to-date Exchange servers
  -p PARALLEL, --parallel PARALLEL
                        How many requests to send in parallel (default: 1000)
  -t TIMEOUT, --timeout TIMEOUT
                        Timeout (seconds) to use for network connections
                        (default: 5)
```
File Snapshot

 [4.0K]  /data/pocs/206e80db93fe78df9e9e2eb4a2036568eb587506
├── [3.8K]  lib.py
├── [4.5K]  README.md
├── [  29]  requirements.txt
└── [6.8K]  scan.py

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.